Listen to this Post
This CVE details a logic flaw in Starlette’s `HTTPEndpoint` class that allows attackers to invoke unintended methods using arbitrary HTTP verbs. The core issue lies in how `HTTPEndpoint` dispatches requests. When a request arrives, the framework lowercases the HTTP method string (e.g., GET, POST, _DO_DELETE) and uses it directly in a `getattr()` call on the endpoint instance to find a corresponding handler method. This lookup does not restrict which method names are considered valid, nor does it validate that the method is a standard HTTP verb.
The vulnerability is triggered when an `HTTPEndpoint` subclass is registered with a `Route` that does not explicitly specify the `methods=` argument. Without this argument, the route does not filter incoming requests by method. Consequently, any HTTP request, regardless of its method string, is passed directly to the endpoint for processing. An attacker can then send a request using a non-standard HTTP method, such as _DO_DELETE. The system lowercases this to _do_delete, and `getattr()` retrieves that method from the endpoint. If such a method exists and is callable, it is executed as though it were the intended handler for a standard HTTP verb.
This bypasses the application’s intended request routing. Developers typically expect only methods like get, post, put, delete, etc., to be reachable. However, an attacker could invoke methods named _do_delete, connect_helper, or any other name that conforms to the HTTP token specification and is present as a callable attribute. These invoked methods may be internal helpers or utility functions that were never designed to be exposed as HTTP endpoints. Such methods might not have the necessary authorization checks or input validation, leading to privilege escalation or unintended data access.
The issue is particularly dangerous because non-standard methods are fully compliant with the RFC 9110 specification. This means the attack is not a violation of the HTTP standard and may not be flagged by standard web application firewalls. Frameworks built on Starlette, such as FastAPI, are also affected if they use `HTTPEndpoint` in the same manner. The root cause is an unsafe reflection pattern where attacker-controlled input (the HTTP method) is used to select code to execute without a proper allowlist.
DailyCVE Form:
Platform: Starlette/FastAPI
Version: < 0.49.1
Vulnerability : Invoke unintended methods
Severity: Moderate
date: 2026-05-23
Prediction: 2026-05-24
What Undercode Say:
The vulnerability is due to the unsafe use of externally-controlled input to select a function or method to invoke.
Check if your Starlette or FastAPI application uses `HTTPEndpoint` without a `methods` list in the `Route` definition:
Search for HTTPEndpoint subclasses registered without 'methods=' grep -r "HTTPEndpoint" --include=".py" | grep -v "methods="
To verify the presence of the vulnerability in a running application, send a request with a non-standard HTTP method:
Test for the vulnerability by requesting a known internal method name curl -X _DO_DELETE http://localhost:8000/your-endpoint
If the server does not return a `405 Method Not Allowed` status, the application may be vulnerable. A successful attack could result in a response generated by the unintended handler.
How Exploit:
An attacker would first identify an `HTTPEndpoint` subclass that is registered without a `methods` constraint. Then, they would need to discover a callable attribute name on that class that is not intended to be an HTTP handler. Common targets include methods starting with an underscore, like _do_delete, or helper methods like connect_to_db. The attacker would then send an HTTP request using that method name as the verb.
A full exploit example:
import requests Assuming the endpoint is at '/api/users' and the vulnerable class has a method '_delete_all_users' response = requests.request(method="_DELETE_ALL_USERS", url="http://target.com/api/users") print(response.status_code) print(response.text)
This would cause the `_DELETE_ALL_USERS` method to be executed, potentially deleting all user data without any authorization checks.
Protection:
The primary mitigation is to always define the `methods` argument when registering an `HTTPEndpoint` subclass with Route. This restricts the allowed HTTP verbs to a known safe set, causing the framework to return a `405 Method Not Allowed` response for any other method.
from starlette.routing import Route
from .endpoints import MyEndpoint
Vulnerable: No methods list
routes = [Route("/path", endpoint=MyEndpoint)]
Protected: Explicit methods list
routes = [Route("/path", endpoint=MyEndpoint, methods=["GET", "POST"])]
Update Starlette to version 0.49.1 or later. This version contains a fix that either restricts the attribute lookup to a safe list of methods or adds validation to the routing mechanism. If an immediate upgrade is not possible, consider implementing a middleware that validates the HTTP method against a whitelist before passing the request to the routing system.
Impact:
This vulnerability allows an attacker to invoke any callable attribute on an `HTTPEndpoint` instance that is reachable via a non-standard HTTP method. The impact depends on the nature of the invoked method. Potential consequences include:
– Bypass of Authorization: Internal helper methods may not have authentication or permission checks, allowing unauthorized actions.
– Data Exposure: Methods that return sensitive data could be accessed directly.
– Privilege Escalation: An attacker might invoke administrative functions not intended for public access.
– Denial of Service: If the invoked method performs resource-heavy operations, an attacker could exhaust system resources.
– Code Execution: In extreme cases, if the endpoint has methods that execute system commands or similar functionality, this could lead to remote code execution.
The vulnerability is present in all versions of Starlette before 0.49.1, and affects any framework that builds on it, including FastAPI. The `HTTPEndpoint` class is commonly used in applications that require a class-based view pattern. Adhering to the mitigation is critical to prevent exploitation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
