Why This Matters
This vulnerability in Starlette versions prior to 1.0.1 exposes a significant security risk by allowing attackers to bypass authentication mechanisms through crafted Host headers. It highlights the importance of timely updates and careful validation of request headers in web frameworks to prevent potential exploits. Addressing this flaw is crucial for maintaining secure web applications built on Starlette.
Key Takeaways
- Starlette versions before 1.0.1 are vulnerable to Host-header bypass.
- Attackers can craft requests to bypass authentication checks.
- Updating to the latest version and validating headers can mitigate this risk.
Starlette < 1.0.1 builds request.url by concatenating the HTTP Host header with the request path. An attacker can send a crafted request like GET /protected with a Host: example.com/health?x= header. The request will reach the /proteced path, but request.url would be https://example.com/health?x=/protected , and request.url.path would return /health instead of the real request path. Any middleware that uses this value to decide whether to enforce authentication can be bypassed.
More details can be found in the X41-2026-002 advisory.
GoKawiil