Resource Consumption Issue in Starlette ASGI Framework by Kludex
CVE-2026-54283

7.5HIGH

Key Information:

Vendor: Kludex
Status: Starlette
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-54283?

Starlette, a lightweight ASGI framework developed by Kludex, has an issue that impacts the handling of form data. Specifically, the request.form() method is designed to enforce limits on resource consumption when parsing multipart/form-data based on max_fields and max_part_size settings. However, these limits are not applied to application/x-www-form-urlencoded content types. As a result, an unauthenticated attacker could exploit this oversight by sending a URL-encoded body that contains either an excessive number of fields or a single excessively large field. This poses a serious risk, particularly for applications that rely on these configurations to manage resource allocation effectively. The issue has been addressed and resolved in version 1.3.1 of Starlette.

Affected Version(s)

starlette >= 0.4.1, < 1.3.1

References

https://github.com/Kludex/starlette/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54283 Data

JSON