Starlette Host Header Validation Bypass Vulnerability Advisory (CVE-XXXX/CWE-436)

Vulnerability Overview Title: Request Host Header not Validated in Starlette Severity Rating: High Confirmed Affected Versions: starlette >= 0.8.3, < 1.0.1 Confirmed Fixed Version: starlette 1.0.1 Vendor: Starlette Vendor URL: https://github.com/Kludex/starlette Vector: Request Host Header not Validated Credit: X41 D-Sec GmbH, JJ Status: Public CVE: Pending GitHub ID: GHSA-86qp-5c8j-p5mr CWE: 436 CVSS Score: 7 CVSS Vector: CVSS:3.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Advisory URL: https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette/ Impact Starlette reconstructs the request URL based on the HTTP request header and the request path but does not perform any validation on the header value. This allows an attacker to inject a path into the host part, prepending the actual path. However, Starlette's routing is based on the actual request path. This inconsistent interpretation of HTTP requests can lead to issues such as authentication bypass when authentication relies on the reconstructed URL path. Starlette is the foundation of the FastAPI Python framework. Remediation 1. Avoid relying on request path: Implement functionality based on request endpoints, such as authentication. 2. Use : Instead of . 3. Deploy a reverse proxy: Such as nginx or Apache HTTP Server, to reject invalid Host headers. 4. Use an ASGI server: That validates the host header according to RFC specifications. Proof of Concept (POC) Code Timeline 2026-01-27: Issue discovered during an unrelated source code audit 2026-02-04: PoC created and vendor contacted, GHSA-86qp-5c8j-p5mr 2026-02-05: Vendor response 2026-03-01: Vendor proposes patch 2026-05-21: Vendor publicly releases patch 2026-05-22: Advisory published Authors JJ, Yassine El Baaj, Markus Vervier Date: May 22, 2026

Goal Reached Thanks to every supporter — we hit 100%!

Starlette Host Header Validation Bypass Vulnerability Advisory (CVE-XXXX/CWE-436)