PYSEC-2026-248
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/starlette/PYSEC-2026-248.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2026-248
- Aliases
-
- CVE-2026-54282
- GHSA-jp82-jpqv-5vv3
- Published
- 2026-06-22T18:16:46.807Z
- Modified
- 2026-06-27T11:15:06.799060438Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
- References
Affected packages
PyPI / starlette
Package
- Name
- starlette
- View open source insights on deps.dev
- Purl
- pkg:pypi/starlette
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.3.0
Affected versions
0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.2.0
0.2.1
0.2.2
0.2.3
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.4.0
0.4.1
0.4.2
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.10
0.9.11
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.7
0.11.0
0.11.1
0.11.2
0.11.3
0.11.4
0.12.0b1
0.12.0b2
0.12.0b3
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.12.6
0.12.7
0.12.8
0.12.9
0.12.10
0.12.11
0.12.12
0.12.13
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.13.7
0.13.8
0.14.0
0.14.1
0.14.2
0.15.0
0.16.0
0.17.0
0.17.1
0.18.0
0.19.0
0.19.1
0.20.0
0.20.1
0.20.2
0.20.3
0.20.4
0.21.0
0.22.0
0.23.0
0.23.1
0.24.0
0.25.0
0.26.0
0.26.0.post1
0.26.1
0.27.0
0.28.0
0.29.0
0.30.0
0.31.0
0.31.1
0.32.0
0.32.0.post1
0.33.0
0.34.0
0.35.0
0.35.1
0.36.0
0.36.1
0.36.2
0.36.3
0.37.0
0.37.1
0.37.2
0.38.0
0.38.1
0.38.2
0.38.3
0.38.4
0.38.5
0.38.6
0.39.0
0.39.1
0.39.2
0.40.0
0.41.0
0.41.1
0.41.2
0.41.3
0.42.0
0.43.0
0.44.0
0.45.0
0.45.1
0.45.2
0.45.3
0.46.0
0.46.1
0.46.2
0.47.0
0.47.1
0.47.2
0.47.3
0.48.0
0.49.0
0.49.1
0.49.2
0.49.3
0.50.0
0.51.0
0.52.0
0.52.1
1.*
1.0.0rc1
1.0.0
1.0.1
1.1.0
1.2.0
1.2.1