CVE-2026-54283: Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS

June 15, 2026

request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply.

References

github.com/Kludex/starlette/security/advisories/GHSA-82w8-qh3p-5jfq
github.com/advisories/GHSA-82w8-qh3p-5jfq
nvd.nist.gov/vuln/detail/CVE-2026-54283

Code Behaviors & Features

Detect and mitigate CVE-2026-54283 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →