CVE-2025-54121: 
Python vulnerability analysis and mitigation

CVE-2025-54121 affects Starlette, a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit for building async web services in Python. The vulnerability was discovered in versions 0.47.1 and below, where parsing multi-part forms with large files (greater than the default max spool size) causes the main thread to block when rolling the file over to disk, preventing the application from accepting new connections. The vulnerability was disclosed on July 20, 2025, and has been fixed in version 0.47.2 (GitHub Advisory).

The vulnerability stems from a bug in the UploadFile code where the inmemory check fails to account for cases where additional bytes will cause a rollover to disk storage. The issue occurs in the write method, which only checks for the current memory state but not potential rollovers. This oversight can lead to disk I/O operations occurring on the main thread instead of being properly handled in a background thread. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

The primary impact of this vulnerability is a potential denial-of-service condition when processing large files in multipart forms. When the file size exceeds the default max spool size, the application's event thread becomes blocked, preventing it from accepting new connections. The impact is considered moderate, particularly affecting systems with slower storage devices. On systems with modern HDDs/SSDs, the performance impact is less severe as form parsing is already CPU-intensive (GitHub Advisory).

The vulnerability has been fixed in Starlette version 0.47.2. The fix involves modifying the UploadFile code to check if additional bytes will cause a rollover before performing write operations. Users should upgrade to version 0.47.2 or later to address this vulnerability (GitHub Advisory).

The vulnerability was initially discovered and reported through GitHub Discussions, where it sparked a technical discussion about the nature of the issue and potential solutions. The community engagement led to the development and implementation of a fix, with several key contributors including HonakerM, defnull, and wai25 collaborating on the solution (GitHub Discussion).