CVE-2025-54121 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-54121 Interim 1 3 2026-03-05T00:30:46Z current 2025-08-05T23:14:06Z 2026-03-05T00:30:46Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-54121 Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-updates/2025-July/040951.html E-Mail link for SUSE-SU-2025:02544-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 16.0 openSUSE Leap 15.6 openSUSE Tumbleweed python-starlette python311-starlette-0.35.1-150600.3.6.1 python311-starlette-0.47.2-1.1 python312-starlette-0.47.2-1.1 python313-starlette python313-starlette-0.47.2-1.1 python311-starlette-0.35.1-150600.3.6.1 as a component of openSUSE Leap 15.6 python311-starlette-0.47.2-1.1 as a component of openSUSE Tumbleweed python312-starlette-0.47.2-1.1 as a component of openSUSE Tumbleweed python313-starlette-0.47.2-1.1 as a component of openSUSE Tumbleweed python313-starlette as a component of SUSE Linux Enterprise Server 16.0 python-starlette as a component of SUSE Linux Enterprise Server 16.0 Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2. CVE-2025-54121 openSUSE Leap 15.6:python311-starlette-0.35.1-150600.3.6.1 openSUSE Tumbleweed:python311-starlette-0.47.2-1.1 openSUSE Tumbleweed:python312-starlette-0.47.2-1.1 openSUSE Tumbleweed:python313-starlette-0.47.2-1.1 moderate 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L