Security update for python-starlette SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02544-1 Final 1 1 2025-07-29T13:47:48Z current 2025-07-29T13:47:48Z 2025-07-29T13:47:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-starlette This update for python-starlette fixes the following issues: - CVE-2025-54121: Correctly parse multi-part form with large files to avoid DoS. (bsc#1246855) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-2544,openSUSE-SLE-15.6-2025-2544 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502544-1/ Link for SUSE-SU-2025:02544-1 https://lists.suse.com/pipermail/sle-updates/2025-July/040951.html E-Mail link for SUSE-SU-2025:02544-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1246855 SUSE Bug 1246855 https://www.suse.com/security/cve/CVE-2025-54121/ SUSE CVE CVE-2025-54121 page openSUSE Leap 15.6 python311-starlette-0.35.1-150600.3.6.1 python311-starlette-0.35.1-150600.3.6.1 as a component of openSUSE Leap 15.6 Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2. CVE-2025-54121 openSUSE Leap 15.6:python311-starlette-0.35.1-150600.3.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502544-1/ https://www.suse.com/security/cve/CVE-2025-54121.html CVE-2025-54121 https://bugzilla.suse.com/1246855 SUSE Bug 1246855