惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
P
Palo Alto Networks Blog
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
NISL@THU
NISL@THU
L
Lohrmann on Cybersecurity
有赞技术团队
有赞技术团队
The GitHub Blog
The GitHub Blog
C
Cisco Blogs
B
Blog
Microsoft Azure Blog
Microsoft Azure Blog
Recent Announcements
Recent Announcements
Simon Willison's Weblog
Simon Willison's Weblog
T
Tenable Blog
Know Your Adversary
Know Your Adversary
Spread Privacy
Spread Privacy
WordPress大学
WordPress大学
月光博客
月光博客
Latest news
Latest news
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threat Research - Cisco Blogs
Cisco Talos Blog
Cisco Talos Blog
I
InfoQ
D
Darknet – Hacking Tools, Hacker News & Cyber Security
W
WeLiveSecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
酷 壳 – CoolShell
酷 壳 – CoolShell
U
Unit 42
C
Cybersecurity and Infrastructure Security Agency CISA
博客园 - 聂微东
人人都是产品经理
人人都是产品经理
Google DeepMind News
Google DeepMind News
Apple Machine Learning Research
Apple Machine Learning Research
Attack and Defense Labs
Attack and Defense Labs
罗磊的独立博客
T
The Exploit Database - CXSecurity.com
I
Intezer
GbyAI
GbyAI
Jina AI
Jina AI
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
Google Online Security Blog
Google Online Security Blog
Engineering at Meta
Engineering at Meta
D
Docker
Recent Commits to openclaw:main
Recent Commits to openclaw:main
小众软件
小众软件
云风的 BLOG
云风的 BLOG
爱范儿
爱范儿
Project Zero
Project Zero

Swift for Visual Studio Code comes to Open VSX Registry | InfoWorld

Notion courts developers with a platform for AI agents and workflow automation Using continuous purple teaming to protect fast-paced enterprise environments A better way to work with SQL Server AWS debuts Graviton-powered Redshift RG instances to cut analytics costs SAP’s AI promises last year? Most are still rolling out First look: Lemonade serves up local AI with limitations GitLab CEO sees developer tool bill increasing 100-fold Red Hat adds support for agentic AI development What’s new and exciting in JDK 26 Kill the loading spinner with local-first data and reactive SQL A networking revolution at AWS Tokenmaxxing is super dumb How to add AI to an existing product (without annoying users) Your AI doesn’t need another database What happens when engineering teams reorganize around AI agents Python isn’t always easy When cloud giants meddle in markets 12 model-level deep cuts to slash AI training costs The best new features in Python 3.15 Teradata launches platform for enterprise AI agents moving beyond pilots Three skills that matter when AI handles the coding MongoDB targets AI’s retrieval problem Building AI apps and agents with Microsoft Foundry Designing front-end systems for cloud failure No, AI won’t destroy software development jobs Diskless databases: What happens when storage isn’t the bottleneck Vibe coding or spec-driven development? The agentic AI distraction Vibe coding or spec-driven development? How to choose Cloud providers are blinded by agentic AI SAP to acquire data lakehouse vendor Dremio Small language models: Rethinking enterprise AI architecture Making AI work through eval hygiene Improving AI agents through better evaluations AI in the cloud is easy but expensive Running AI in the cloud is easy – and expensive Making AI work for databases Harness teams of agentic coders with Squad Harness teams of coding agents with Squad Oracle NetSuite announces AI coding skills for SuiteCloud developers Why it’s so hard to create stand-alone Python apps A new challenge for software product managers The hidden cost of front-end complexity GitHub shifts Copilot to usage-based billing, signaling a new cost model for enterprise AI tools OpenAI’s Symphony spec pushes coding agents from prompts to orchestration The front-end architecture trilemma: Reactivity vs. hypermedia vs. local-first apps Enterprise AI is missing the business core The best JavaScript certifications for getting hired Google begins putting the guardrails on agentic AI Why world models are AI’s next frontier Where to begin a cloud career Google pitches Agentic Data Cloud to help enterprises turn data into context for AI agents How open source ideals must expand for AI Is your Node.js project really secure? How I doubled my GPU efficiency without buying a single new card SpaceX secures option to acquire AI coding startup Cursor for $60B Google’s Gemma 4 shines on local systems – both big and small AI is upending the SaaS game How AI is upending SaaS tools Snowflake offers help to users and builders of AI agents From the engine room to the bridge: What the modern leadership shift means for architects like me Addressing the challenges of unstructured data governance for AI The cookbook for safe, powerful agents Enterprises are rethinking Kubernetes GitHub pauses new Copilot sign-ups as agentic AI strains infrastructure Best practices for building agentic systems Making agents dull Oracle delivers semantic search without LLMs When cloud giants neglect resilience Exciting Python features are on the way Ease into Azure Kubernetes Application Network The agent tier: Rethinking runtime architecture for context-driven enterprise workflows The two-pass compiler is back – this time, it’s fixing AI code generation MuleSoft Agent Fabric adds new ways to keep AI agents in line Salesforce launches Headless 360 to support agent‑first enterprise workflows Tap into the AI APIs of Google Chrome and Microsoft Edge Where will developer wisdom come from? GitHub adds Stacked PRs to speed complex code reviews The hyperscalers are pricing themselves out of AI workloads HTMX 4.0: Hypermedia finds a new gear Google Cloud introduces QueryData to help AI agents create reliable database queries Hands-on with the Google Agent Development Kit Are AI certifications worth the investment? AWS targets AI agent sprawl with new Bedrock Agent Registry Cloud degrees are moving online Swift for Visual Studio Code comes to Open VSX Registry AI agents aren't failing. The coordination layer is failing How Agile practices ensure quality in GenAI-assisted development Anthropic rolls out Claude Managed Agents Microsoft’s reauthentication snafu cuts off developers globally Meta’s Muse Spark: a smaller, faster AI model for broad app deployment Bringing databases and Kubernetes together Rethinking Angular forms: A state-first perspective Minimus Welcomes Yael Nardi as CBO to Facilitate Strategic Growth Microsoft announces end of support for ASP.NET Core 2.3 Get started with Python’s new frozendict type AWS turns its S3 storage service into a file system for AI agents Microsoft’s new Agent Governance Toolkit targets top OWASP risks for AI agents The winners and losers of AI coding GitHub Copilot CLI adds Rubber Duck review agent
FastAPI-based AI tools exposed to authentication bypass by flaw in Starlette framework
by Gyana Swain · 2026-05-27 · via Swift for Visual Studio Code comes to Open VSX Registry | InfoWorld

Researchers who found the bug warn that its Moderate rating understates a threat reaching across LLM gateways, MCP servers and agent infrastructure.

A single malformed character in a web request can let an unauthenticated attacker slip past the access controls that guard applications built on Starlette, the open-source Python framework that powers FastAPI, researchers said.

The flaw, tracked as CVE-2026-48710 could allow attackers to bypass host-validation protections using malformed Host headers, according to an advisory from cybersecurity firm X41 D-Sec.

The attacker needs no password and no action from a victim, it said.

Starlette’s maintainer released a patch through an official GitHub security advisory after X41 D-Sec disclosed the vulnerability in coordination with the Open Source Technology Improvement Fund (OSTIF). They found the flaw during an unrelated source-code audit, and traced it to Starlette rather than the application under review.

“This bug is a classic ‘responsibility gap’ where if this maintainer didn’t patch, thousands of exposed projects would have to individually secure their projects,” OSTIF said.

The researchers have created a website, badhost.org, that can test websites for the vulnerability.

Exploiting the bug

The flaw lies in how Starlette rebuilds the address of an incoming request, according to X41 D-Sec. The framework joins the Host header sent by the client to the path that was requested to form a complete URL, but parses the whole and the parts for validity using different rules.

A Host header containing a slash, question mark or hash character shifts where the path begins, the researchers said, so the path Starlette reports no longer matches the one the server actually received.

That gap is where the risk lies, according to the firm. Starlette routes the request to the real path, but middleware and endpoints read the altered one. An application that restricts sensitive routes by checking the path it sees can let a request through while still running the protected route behind it.

X41 D-Sec published a demonstration with its advisory. The researchers sent a request to a protected administrative page and received a “403 Forbidden” response. They sent the same request with one extra character in the Host header, and the page returned a “200 OK.” The same pattern has surfaced in other recent authentication-bypass flaws in open-source AI frameworks.

Severity rating under dispute

Starlette’s maintainer rated the flaw at 6.5 out of 10, or Moderate, on the CVSS scale in the GitHub advisory. X41 D-Sec rated it 7.0, or High, and said the danger to software built on Starlette runs higher than either figure suggests.

The damage an attacker can do depends on what each application does with the forged path. X41 D-Sec said it found several open-source projects whose security checks rely on the reconstructed address. In those projects, the single-character flaw could chain into “authentication bypass to SSRF and other issues that in some cases even lead to remote-code-execution on the affected system,” the researchers wrote.

The reach extends well past Starlette itself. A separate advisory from security firm Secwest on the flaw said the score “materially understates the downstream impact” and warned that the bug touches “most of the model-serving, gateway, proxy, eval, agent, and MCP-server infrastructure that has been stood up in the last two years.”

Affected software includes model-serving tools, API gateways, OpenAI-compatible proxies, agent frameworks and Model Context Protocol servers built on FastAPI, according to X41 D-Sec and Secwest.

An application can be exposed even if its developers never installed Starlette, because another component may have, X41 D-Sec said. Starlette has more than 400,000 dependent projects on GitHub, according to the firm.

Who is most exposed

Not every dependent project is equally at risk, X41 D-Sec said. Whether an application can be attacked comes down to how it is. The dividing line is the reverse proxy: A proxy such as nginx or Apache HTTP Server rejects the malformed request before it reaches the application, and production websites usually sit behind such a layer. Research, evaluation and development setups for AI software often do not, and many run the application server facing the network directly, it said.

Three groups face the most exposure, according to X41 D-Sec: those running a FastAPI or Starlette application directly on an application server with no compliant reverse proxy in front; those exposing a model proxy such as LiteLLM or vLLM as a directly reachable endpoint; and those whose access-control code reads the reconstructed request address rather than the raw path.

The researchers advised teams to upgrade to Starlette 1.0.1 or later, which validates the Host header and rejects malformed values.

This article first appeared on CSO.