Never, ever, ever transform URIs and paths by string manipulation. If you think pulling in a library for this is overkill, it is not.<p>(Lesson learned from trying to quickly write my own function to make ".." to go back one URL segment that took 3 hours and discovering the URI spec contradicts my intuition depending on whether the URI is a URL or filesystem path.)
Differentials between different URI parsers are a huge source of bugs. The amount of shenanigans you can do inside URIs is bonkers, and trying to handle this by yourself with some regex and string splitting is absolutely insane.<p>Like <a href="https://www.example.com:443@203569230:8080/" rel="nofollow">https://www.example.com:443@203569230:8080/</a> will send you to the IP address "12.34.56.78" on port 8080 using basic authentication with the domain and port as username and password. If your code tries to split by `:` or check that the URI starts with some specific string, then it won't be good enough. Indeed, use a library that you trust.
I don't believe Python's urllib has a function that takes what HTTP terms an "origin-form" (an absolute path with possibly a query attached to it with "?") and parses it apart.<p>Still, the RFC 9112 that defines HTTP/1.1 basics requires that, for the purposes of URI reconstruction, "if there is no Host header field or if its field value is empty or invalid, the target URI's authority component is empty."
If you read the advisory and are wondering what starlette is, from it's web page: starlette is a lightweight ASGI framework/toolkit, which is ideal for building async web services in Python.<p>It's used a lot in the data heavy AI world for it's efficiency shipping large files. This includes lots and lots of production servers.<p>From the advisory: this includes LLM inference servers like vLLM, LLM proxy servers like LiteLLM, AI agent frameworks, MCP gateways, and custom APIs. MCP servers are especially at risk because the MCP spec mandates unauthenticated OAuth discovery endpoints, providing a reliable path for exploitation.
Notably, Starlette powers FastAPI, an extremely popular Python framework for building HTTP services.
Is this still true?
You may be thinking of Litestar (previously named Starlite) that was based on Starlette akin to FastAPI but then went their own direction implementing a framework rather than relying on an upstream for their core product.
Yes, it's literally the first bullet point on the project's website.
[dead]
Ironically typing ‘make sure my server is secure’ into an LLM either wasn’t done, or missed it until now.
The posted page has an entire section titled "Why didn't Mythos find this?"<p>tl;dr: the bug spans three components in different code bases that when looked at in isolation each do reasonable things. The bug is in the interaction, in the assumed properties of the value that eventually gets exposed as request.url.path. That was apparently too subtle for current Anthropic models to spot
From the link, on how the attack works:<p>An attacker can send a crafted request like GET /protected with a Host: example.com/health?x= header. The request will reach the /proteced path, but request.url would be <a href="https://example.com/health?x=/protected" rel="nofollow">https://example.com/health?x=/protected</a>, and request.url.path would return /health instead of the real request path.
I found a similar vulnerability in the Zeus Web Server ( <a href="https://en.wikipedia.org/wiki/Zeus_Web_Server" rel="nofollow">https://en.wikipedia.org/wiki/Zeus_Web_Server</a> ) in January 2000.<p>Zeus had a great feature where you could set up virtual servers just by creating directories. So if you wanted to host www.example.com and www.anotherexample.com you just created two directories of those names like that and away you went.<p>I discovered that the if you sent `Host:` headers which started with `/` then you could use it to traverse the file system and read any file you wanted.<p>Plus ça change, plus c'est la même chose!
So the classic case of two parsers disagreing and being too permissive in accepting input
[dead]
If you're using nginx/apache/literally anything that does reverse proxying correctly, this shouldn't be a problem unless you're routing all traffic over default_server rules unstead of server_name (or the equivalent).<p>They should be stopping this attack at the door (even if only to clean out your logs from scraper door knocks), which is probably why it went unnoticed for years. I don't think anyone would be deploying {A,W}SGI servers on public facing ports these days. Even if only because SSL termination is much easier in the proxy layer.<p>Also good lord that ARS article is a mess. What the hell happened there? An ASGI server isn't unique to AI or anything, it's just a regular supply chain dependency. I kinda expect better from ARS on stuff like this.
You're relying on everyone in the world to set things up in a way that provides defense in depth. Not everyone is going to do that.<p>Which means there's going to be a lot of cases where people don't do the safe thing.<p>Especially, as other's have said, in the case of MCP servers, where the spec mandates exposed oauth.
The saving grace here is that people are most commonly doing this for reasons other than as a defense - serving static files efficiently, combining multiple services, caching, DDoS protection, etc. There are certainly some directly exposed FastAPI instances but it’s been against the grain for decades.
Or probably the most straightforward one, which is SSL termination. Most backend software usually has very bad support for HTTPS communication, while it's typically extensively documented for something like nginx. It also catches some other strangeness like making it easier to update the certificate.<p>The biggest risk is incorrect usage of the default_server directive, the proper way in which to handle it isn't usually taught in most "here's how you use nginx" tutorials. Most usually just have you edit the default server blocks.<p>Tldr that covers 99% of all cases: you want 2 default server blocks, one on port 80 and one on port 443. The one on port 80 should only return 444 (an internal nginx status code that stops the connection immediately with no response), while the one on port 443 should use ssl_reject_handshake to terminate the SSL connection as quickly as possible without causing strange errors (you also need a self-signed certificate because otherwise openssl refuses to do protocol negotiation correctly, but the cert doesn't actually do anything). After that, specify your actual domains as separate server blocks using server_name (including a separate one for each to do the port 80->443 redirect).<p>Arguably this should be the default configuration shipped by distros, but it isn't for some reason, which doesn't help matters.
Ars has had a depreciating quality the past few years by most accounts. They've been trying a bit harder recently it seems, but shaking off the allure of half baked short form journalism is hard, I guess.
This is a bad one. Rating it a medium understates how hard it hits thousands of downstream projects and billions of installs. People need to patch asap. I'm normally against the "giving a bug a name, logo, and website" trope, but this one is getting poor patch rates because of it being rated a medium and landing right before a big American holiday weekend.
I agree it’s fairly bad on its own but it’s substantially mitigated if you aren’t exposing Starlette/FastAPI directly to the internet – if you use a CDN, load-balancer / API Gateway, or a fronting web server it’s likely that your service is protected since the attacks depend on characters which are not valid in DNS (and in the first couple of cases, likely need to match to route traffic to the right customer).<p>As an example, I just confirmed that both Cloudflare and AWS ALBs reject all of the attack patterns. Still not good, lateral movement is a time-honored tactic, etc. but it buys time to patch.
Also requires that you build specific kind of logic in your access control. So it really depends on implementation. Some codebases are vulnerable where as others are not.
I don't know if many people run FastAPI directly without any reverse proxy, load balancer etc. in front of their services.<p>Probably this is why it is marked as medium.
I need to start some kind of public counter for major vulnerabilities that could have been prevented with a software building code. It's been ticking up a lot latey
Notably CVE-2026-48710 hasn't been added into cloud sec vuln catalogs quite yet. Since fastapi ~is starlette, expect the later half of this week / early next to be busy.
path-based auth middleware is a bad practice IMHO
Setting aside this issue, Starlette is a really great web server.<p>If you do async python I strongly recommend it.<p>FastAPI is built on Starlette - to be honest I don’t see the point of the extra baggage - just use Starlette.
fastAPI will give you `/openapi.json`, `/docs` with no extra effort<p>function name becomes a human readable summary, string docs the description<p>edit: bottle.py and fastapi are the most significant contributions to web frameworks in python — decorators for path handlers, typed input/output, automatic docs
[flagged]
[flagged]
[flagged]
The URL was meant to be <a href="https://badhost.org" rel="nofollow">https://badhost.org</a>, the site accidentally still has the old canonical meta tag.
[flagged]
[flagged]
[flagged]
[dead]
[flagged]