CVE-2025-62727: 
Python vulnerability analysis and mitigation

CVE-2025-62727 is a denial-of-service vulnerability affecting Starlette, a lightweight ASGI framework. The vulnerability was discovered and disclosed on October 28, 2025, impacting Starlette versions up to and including 0.49.0. The issue affects multiple products including Red Hat OpenShift, Red Hat AI Inference Server, Red Hat Ansible Automation Platform, and Red Hat Enterprise Linux AI (Red Hat Advisory).

The vulnerability exists in Starlette's FileResponse Range parsing/merging logic, where an unauthenticated attacker can trigger quadratic-time processing through a crafted HTTP Range header. The issue stems from an O(n^2) algorithm used in the FileResponse.parserange_header() method. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and is categorized under CWE-407 (Inefficient Algorithmic Complexity) (GitHub Advisory).

The vulnerability can lead to CPU exhaustion per request, causing denial-of-service for endpoints serving files. This affects any Starlette application that uses StaticFiles or direct FileResponse responses. The impact extends to frameworks built on Starlette, such as FastAPI, when using file-serving endpoints (GitHub Advisory).

The vulnerability has been patched in Starlette version 0.49.1. Users are advised to upgrade to this version or later to mitigate the risk (GitHub Advisory).