CVE-2026-54283
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
Vulnerability in Starlette framework from version 0.4.1 to 1.3.1 causes max_fields and max_part_size limits for request.form() to be enforced only for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can send a request body with an arbitrarily large number of fields or an arbitrarily large field, bypassing configured limits.
Risk Assessment
The risk is a potential DoS (Denial of Service) attack by exhausting server resources (memory, CPU) through sending a malicious urlencoded request with excessive fields or oversized field.
Recommendation
Immediately update Starlette to version 1.3.1 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.

