EXECUTIVE SUMMARY:
Two vulnerabilities have been discovered in the pip/starlette package. These vulnerabilities include Denial of Service (DoS) and Server-Side Request Forgery (SSRF), which can be exploited to block the event loop, force unbounded memory allocation, or leak NTLMv2 credentials. This poses a significant business risk, as a single request can render the service unusable, and credential disclosure can facilitate further attacks.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Two vulnerabilities have been discovered in the pip/starlette package. These vulnerabilities include Denial of Service (DoS) and Server-Side Request Forgery (SSRF), which can be exploited to block the event loop, force unbounded memory allocation, or leak NTLMv2 credentials. This poses a significant business risk, as a single request can render the service unusable, and credential disclosure can facilitate further attacks.[emaillocker id="1283"]
CVE-2026-54283 with a CVSS score of 7.5 – This vulnerability allows an unauthenticated attacker to send a URL-encoded body with an arbitrarily large number of fields or an arbitrarily large field, blocking the worker's event loop or forcing memory allocation.
CVE-2026-48818 with a CVSS score of 7.5 – This SSRF vulnerability enables an attacker to leak the service account's NTLMv2 credentials by resolving a UNC path in StaticFiles on Windows, which can then be cracked offline or relayed to other hosts.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-82w8-qh3p-5jfq
https://github.com/advisories/GHSA-wqp7-x3pw-xc5r