CVE-2024-47874 - Starlette/FastAPI
Tue, 15 Oct 2024 - Python, infosec, CVEI'm finally allowed to speak about this nice little DoS vulnerability I found in starlette (and FastAPI).
- CVE https://www.cve.org/CVERecord?id=CVE-2024-47874
- GHSA https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw
The FastAPI devs published an update 3 days before the security release of Starlette that widened the version range of the dependency just enough to allow the to-be-released patch. Sneaky!
Discuss here: https://chaos.social/@defnull/113312254695093454