Skip to content

chore(deps): bump starlette to 1.0.1#2366

Open
Odilhao wants to merge 1 commit into
RedHatInsights:masterfrom
Odilhao:fix/cve-2026-48710-starlette-master
Open

chore(deps): bump starlette to 1.0.1#2366
Odilhao wants to merge 1 commit into
RedHatInsights:masterfrom
Odilhao:fix/cve-2026-48710-starlette-master

Conversation

@Odilhao
Copy link
Copy Markdown

@Odilhao Odilhao commented May 29, 2026

Bumps starlette to 1.0.1 to fix CVE-2026-48710.

CVE: CVE-2026-48710 — Starlette: Security restriction bypass via malformed HTTP Host header. Missing Host header validation poisons `request.url.path`, allowing path-based security checks to be bypassed.

Fix version: starlette 1.0.1
Advisory: GHSA-86qp-5c8j-p5mr

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 29, 2026

SC Environment Impact Assessment

Overall Impact:NONE

No SC Environment-specific impacts detected in this PR.

What was checked

This PR was automatically scanned for:

  • Database migrations
  • ClowdApp configuration changes
  • Kessel integration changes
  • AWS service integrations (S3, RDS, ElastiCache)
  • Kafka topic changes
  • Secrets management changes
  • External dependencies

@Odilhao Odilhao force-pushed the fix/cve-2026-48710-starlette-master branch from 9ff0962 to 82e2c64 Compare May 29, 2026 00:32
@Odilhao Odilhao changed the title fix(deps): bump starlette from 1.0.0 to 1.0.1 (CVE-2026-48710) chore(deps): bump starlette to 1.0.1 May 29, 2026
@Odilhao Odilhao force-pushed the fix/cve-2026-48710-starlette-master branch from 82e2c64 to 3718bf4 Compare May 29, 2026 00:42
jdobes
jdobes requested changes May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jdobes jdobes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Poetry lock and requirements.txt are not matching, you need to update both

@Odilhao Odilhao force-pushed the fix/cve-2026-48710-starlette-master branch from 3718bf4 to 844048d Compare May 29, 2026 11:54
@Odilhao
Copy link
Copy Markdown
Author

Odilhao commented May 29, 2026

Updated — poetry.lock now includes starlette 1.0.1 (hashes verified against PyPI). Both requirements.txt and poetry.lock are in sync.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdobes jdobes jdobes requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Odilhao @jdobes