(security) Upgrade Starlette to >= 1.0.1 to fix CVE-2026-48710#45675
Merged
vllm-bot merged 4 commits intoJun 18, 2026
Merged
Conversation
Starlette < 1.0.1 does not validate the HTTP Host header before reconstructing request.url, allowing attackers to poison request.url.path and bypass path-based security middleware (Advisory X41-2026-002). Upgrading was blocked by prometheus-fastapi-instrumentator 7.x pinning starlette < 1.0.0. Bump it to >= 8.0.0 (released 2026-05-29) which requires starlette >= 1.0.0, and raise the FastAPI floor to >= 0.133.0 (first version supporting Starlette 1.0). Recompile all three test lock files accordingly. Signed-off-by: Juan Pérez de Algaba <jperezde@redhat.com> Signed-off-by: jperezde <jperezde@redhat.com>
Isotr0py
approved these changes
Jun 15, 2026
FastAPI 0.137.0 changed APIRouter.routes from a flat list to a tree structure. This breaks model-hosting-container-standards' route conflict detection in safe_include_router(), which iterates app.router.routes looking for APIRoute instances to replace. With the tree structure, routes are nested inside sub-routers and never found, causing custom handler overrides to silently fail. Pin fastapi < 0.137.0 until the upstream package is fixed. The CVE fix (starlette >= 1.0.1) is preserved since FastAPI 0.133+ supports Starlette 1.x. Signed-off-by: Juan Pérez de Algaba <jperezde@redhat.com> Signed-off-by: jperezde <jperezde@redhat.com>
auto-merge was automatically disabled
June 16, 2026 10:51
Head branch was pushed to by a user without write access
Contributor
Author
|
@DarkLight1337 Do you mind triggering the tests again? It seems that these errors are not related to my changes |
Contributor
Author
|
The MR failure is unrelated, right? |
divineearthly
pushed a commit
to divineearthly/vllm
that referenced
this pull request
Jun 19, 2026
…project#45675) Signed-off-by: jperezde <jperezde@redhat.com> Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn> Signed-off-by: divineearthly <divineearthly@gmail.com>
xuebwang-amd
pushed a commit
to xuebwang-amd/vllm
that referenced
this pull request
Jun 21, 2026
…project#45675) Signed-off-by: jperezde <jperezde@redhat.com> Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
tunglinwood
pushed a commit
to tunglinwood/vllm
that referenced
this pull request
Jun 22, 2026
…project#45675) Signed-off-by: jperezde <jperezde@redhat.com> Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
nkzhenhua
pushed a commit
to nkzhenhua/vllm
that referenced
this pull request
Jun 24, 2026
…project#45675) Signed-off-by: jperezde <jperezde@redhat.com> Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Starlette < 1.0.1 does not validate the HTTP Host header before reconstructing request.url, allowing attackers to poison request.url.path and bypass path-based security middleware (Advisory X41-2026-002).
Upgrading was blocked by prometheus-fastapi-instrumentator 7.x pinning starlette < 1.0.0. Bump it to >= 8.0.0 (released 2026-05-29) which requires starlette >= 1.0.0, and raise the FastAPI floor to >= 0.133.0 (first version supporting Starlette 1.0).
Recompile all three test lock files accordingly.