Skip to content

(security) Upgrade Starlette to >= 1.0.1 to fix CVE-2026-48710#45675

Merged
vllm-bot merged 4 commits into
vllm-project:mainfrom
jperezdealgaba:security/upgrade-starlette-1.0.1
Jun 18, 2026
Merged

(security) Upgrade Starlette to >= 1.0.1 to fix CVE-2026-48710#45675
vllm-bot merged 4 commits into
vllm-project:mainfrom
jperezdealgaba:security/upgrade-starlette-1.0.1

Conversation

@jperezdealgaba

Copy link
Copy Markdown
Contributor

Starlette < 1.0.1 does not validate the HTTP Host header before reconstructing request.url, allowing attackers to poison request.url.path and bypass path-based security middleware (Advisory X41-2026-002).
Upgrading was blocked by prometheus-fastapi-instrumentator 7.x pinning starlette < 1.0.0. Bump it to >= 8.0.0 (released 2026-05-29) which requires starlette >= 1.0.0, and raise the FastAPI floor to >= 0.133.0 (first version supporting Starlette 1.0).

Recompile all three test lock files accordingly.

Starlette < 1.0.1 does not validate the HTTP Host header before
reconstructing request.url, allowing attackers to poison
request.url.path and bypass path-based security middleware
(Advisory X41-2026-002).
Upgrading was blocked by prometheus-fastapi-instrumentator 7.x
pinning starlette < 1.0.0.  Bump it to >= 8.0.0 (released
2026-05-29) which requires starlette >= 1.0.0, and raise the
FastAPI floor to >= 0.133.0 (first version supporting Starlette 1.0).
Recompile all three test lock files accordingly.
Signed-off-by: Juan Pérez de Algaba <jperezde@redhat.com>

Signed-off-by: jperezde <jperezde@redhat.com>
@github-project-automation github-project-automation Bot moved this to Ready in NVIDIA Jun 15, 2026
@Isotr0py Isotr0py enabled auto-merge (squash) June 15, 2026 16:38
@github-actions github-actions Bot added the ready ONLY add when PR is ready to merge/full CI is needed label Jun 15, 2026
FastAPI 0.137.0 changed APIRouter.routes from a flat list to a tree
structure. This breaks model-hosting-container-standards' route
conflict detection in safe_include_router(), which iterates
app.router.routes looking for APIRoute instances to replace.
With the tree structure, routes are nested inside sub-routers and
never found, causing custom handler overrides to silently fail.
Pin fastapi < 0.137.0 until the upstream package is fixed.
The CVE fix (starlette >= 1.0.1) is preserved since FastAPI 0.133+
supports Starlette 1.x.
Signed-off-by: Juan Pérez de Algaba <jperezde@redhat.com>

Signed-off-by: jperezde <jperezde@redhat.com>
auto-merge was automatically disabled June 16, 2026 10:51

Head branch was pushed to by a user without write access

@jperezdealgaba

Copy link
Copy Markdown
Contributor Author

@DarkLight1337 Do you mind triggering the tests again? It seems that these errors are not related to my changes

@Isotr0py Isotr0py enabled auto-merge (squash) June 16, 2026 15:24
@jperezdealgaba

Copy link
Copy Markdown
Contributor Author

The MR failure is unrelated, right?

@vllm-bot vllm-bot merged commit f6ba720 into vllm-project:main Jun 18, 2026
27 of 30 checks passed
@github-project-automation github-project-automation Bot moved this from Ready to Done in NVIDIA Jun 18, 2026
divineearthly pushed a commit to divineearthly/vllm that referenced this pull request Jun 19, 2026
…project#45675)

Signed-off-by: jperezde <jperezde@redhat.com>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Signed-off-by: divineearthly <divineearthly@gmail.com>
xuebwang-amd pushed a commit to xuebwang-amd/vllm that referenced this pull request Jun 21, 2026
…project#45675)

Signed-off-by: jperezde <jperezde@redhat.com>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
tunglinwood pushed a commit to tunglinwood/vllm that referenced this pull request Jun 22, 2026
…project#45675)

Signed-off-by: jperezde <jperezde@redhat.com>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
nkzhenhua pushed a commit to nkzhenhua/vllm that referenced this pull request Jun 24, 2026
…project#45675)

Signed-off-by: jperezde <jperezde@redhat.com>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci/build nvidia ready ONLY add when PR is ready to merge/full CI is needed

3 participants