Starlette Range Header Processing Vulnerability in FileResponse
Vulnerability
A denial-of-service vulnerability has been identified in Starlette, a lightweight ASGI framework, in versions prior to 0.49.1. The issue arises in the FileResponse component, specifically within the range parsing and merging logic. An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP Range header, which triggers quadratic-time processing. This exploitation leads to CPU exhaustion per request, causing denial-of-service for endpoints that serve files, such as those using StaticFiles or FileResponse.
Impact
Exploitation of this vulnerability causes high CPU usage, leading to denial-of-service conditions on the server for endpoints that serve files.
Reproduction
The vulnerability can be reproduced by sending an HTTP request to a Starlette application with a crafted Range header that maximizes the complexity of the server's range parsing. This can be done using a Python script that imports Starlette and its FileResponse class, builds a payload for the Range header, and measures the time taken to process the request. The script can be run multiple times with different payload lengths to demonstrate the impact.
Remediation
Users can upgrade to Starlette version 0.49.1 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.