CVE-2025-62727: 
Python vulnerability analysis and mitigation

Starlette, a lightweight ASGI framework/toolkit, contains a vulnerability (CVE-2025-62727) affecting versions 0.39.0 to 0.49.1. The vulnerability was discovered on October 28, 2025, and allows an unauthenticated attacker to send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic (GitHub Advisory, NVD).

The vulnerability exists in the FileResponse._parse_range_header() method where the parsing loop uses a regular expression vulnerable to denial of service due to its O(n^2) complexity. The merge loop processes each input range by scanning the entire result list, yielding quadratic behavior with many disjoint ranges. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating high availability impact with network access (GitHub Advisory).

This vulnerability enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). It affects any Starlette application that uses StaticFiles or direct FileResponse responses, including frameworks built on Starlette such as FastAPI (GitHub Advisory).

The vulnerability has been fixed in version 0.49.1. Users should upgrade to this version to mitigate the issue. The fix optimizes the HTTP ranges parsing logic to prevent the quadratic-time processing vulnerability (GitHub Release).

The vulnerability fix release received positive community engagement, with 10 reactions on GitHub including thumbs up and heart emojis from the developer community (GitHub Release).