Sign me up Login

Details about package starlette

Name:	starlette (PTS)
Uploader:	Matheus Polkorny <polkorny@disroot.org> (Debian QA page)
Description:	python3-starlette - ASGI library ideal for building high performance asyncio services

Package uploads

Upload #1

Information

Version:	0.46.1-3+deb13u1
Uploaded:	2026-01-30 04:43
Source package:	starlette_0.46.1-3+deb13u1.dsc
Distribution:	trixie
Section:	python
Priority:	optional
Homepage:	https://www.starlette.io/
Vcs-Git:	https://salsa.debian.org/python-team/packages/starlette.git
Vcs-Browser:	https://salsa.debian.org/python-team/packages/starlette

Changelog

 starlette (0.46.1-3+deb13u1) trixie; urgency=medium
 .
   * Team upload.
   * d/p/CVE-2025-62727.patch: Import Upstream patch to fix CVE-2025-62727
     - An unauthenticated attacker can send a crafted HTTP Range header
       that triggers quadratic-time processing in Starlette's FileResponse
       Range parsing/merging logic. This enables CPU exhaustion per request,
       causing denial‑of‑service for endpoints serving files
   * d/changelog: Fix 0.46.1-3 changelog entry

QA information

–
Package uses debhelper-compat

Debhelper compatibility level 13

–

Newer upstream version available

Local:	0.46.1
Upstream:	0.52.1
Url:	https://pypi.debian.net/starlette/starlette-0.52.1.tar.gz

–
Package is not native

Format: 3.0 (quilt)
–
The uploader is not in the package's "Maintainer" or "Uploaders" fields (Team upload)
–
Package has lintian errors
starlette changes
- E bad-distribution-in-changes-file
  - trixie
starlette source
- W superfluous-file-pattern
  - starlette/graphql.py [debian/copyright:10]
- I older-debian-watch-file-standard
  - 3 [debian/watch]
- I out-of-date-standards-version
  - 4.6.1 (released 2022-05-11) (current is 4.7.3)
- I patch-not-forwarded-upstream
  - [debian/patches/CVE-2025-62727.patch]
  - [debian/patches/json-format.patch]
- P silent-on-rules-requiring-root
  - [debian/control]
- X debian-watch-does-not-check-openpgp-signature
  - [debian/watch]
- X update-debian-copyright
  - 2020 vs 2026 [debian/copyright:16]
- X very-long-line-length-in-source-file
  - 532 > 512 [docs/middleware.md:300]
–
Package is already in Debian
- The package uploader is not currently maintaining starlette in Debian
- Last upload was on the 2026-01-01
–
d/copyright is in DEP5 format

Upstream Contact: Tom Christie <tom@tomchristie.com>

Licenses: BSD-3-clause

Comments

I have backported the patch from upstream to fix CVE-2025-62727.

The PoC used for validation is available at: https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8

PoC Results for Trixie:

Without Patch:
> [INFO] Starlette Version: 0.46.1
> [DEBUG] range_body length: 5002 bytes
> [DEBUG] elapsed time: 0.101148 seconds
> 
> [DEBUG] range_body length: 10002 bytes
> [DEBUG] elapsed time: 0.443003 seconds
> 
> [DEBUG] range_body length: 20002 bytes
> [DEBUG] elapsed time: 1.275045 seconds
> 
> [DEBUG] range_body length: 40002 bytes
> [DEBUG] elapsed time: 4.811988 seconds


With Patch:
> [INFO] Starlette Version: 0.46.1
> [DEBUG] range_body length: 5002 bytes
> [DEBUG] elapsed time: 0.000030 seconds
> 
> [DEBUG] range_body length: 10002 bytes
> [DEBUG] elapsed time: 0.000037 seconds
> 
> [DEBUG] range_body length: 20002 bytes
> [DEBUG] elapsed time: 0.000085 seconds
> 
> [DEBUG] range_body length: 40002 bytes
> [DEBUG] elapsed time: 0.000296 seconds

Matheus Polkorny at Jan. 30, 2026, 4:57 a.m.

Upstream Contact:	Tom Christie <tom@tomchristie.com>
Licenses:	BSD-3-clause