Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 46 pypi packages depend on starlette (21 direct, 25 indirect)
Ecosystem-wide dependent count for version 1.0.1.
DescriptionNVD
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header could make request.url.path differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on request.url (rather than the raw scope path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the Host header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing request.url and falls back to scope["server"] for malformed values.
AnalysisAI
Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause request.url.path to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on request.url rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through request.url is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthentic
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 16.0 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32016
GHSA-86qp-5c8j-p5mr