First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

FastAPI currently declares:


[project]
dependencies = [
    "starlette>=0.46.0",
    "pydantic>=2.7.0",
    "typing-extensions>=4.8.0",
    "typing-inspection>=0.4.2",
    "annotated-doc>=0.0.2",
]


Relevant locations in the repository:

- `fastapi/pyproject.toml`
- `fastapi/fastapi/responses.py`
- `fastapi/fastapi/staticfiles.py`

Description

FastAPI 0.135.1 still allows Starlette releases that have published GitHub
security advisories.

The current dependency floor is:

starlette>=0.46.0

That version range still admits:

• 0.47.1
• 0.49.0

but GitHub advisories were published for those version ranges:

1. GHSA-2c2j-9gv5-cj73

   • published: July 20, 2025
   • affected: <0.47.2

2. GHSA-7f5h-v6xp-fcq8

   • published: October 28, 2025
   • affected: <=0.49.0

So although a current installation may resolve to a safe Starlette release, the
published FastAPI dependency metadata still permits installation with versions that
fall inside known vulnerable ranges.

Why I think this is LOW

I think this should be classified as LOW, not HIGH, because:

1. this is a dependency-floor / package-metadata issue, not a direct FastAPI code bug
2. a given environment may already resolve to a patched Starlette version
3. exploitability depends on the resolver outcome and deployment choices
4. the local environment I tested here is already safe

So I do not think this should be framed as "FastAPI itself is directly vulnerable in
all installs".

I do think it is still worth fixing because the package metadata currently allows
users to install combinations that include known-vulnerable Starlette releases.

Why it matters

FastAPI directly exposes and documents the affected Starlette surface:

• fastapi.responses.FileResponse
• fastapi.staticfiles.StaticFiles

Relevant files:

• fastapi/fastapi/responses.py
• fastapi/fastapi/staticfiles.py
• fastapi/docs_src/static_files/tutorial001_py310.py
• fastapi/docs_src/custom_response/tutorial009_py310.py

That means users following FastAPI’s public API and examples may rely on the exact
Starlette functionality covered by the advisories, while still having a dependency
range that permits affected Starlette versions.

Expected behavior

I would expect FastAPI to raise the minimum supported Starlette version high enough
to exclude known-vulnerable releases covered by published advisories.

For the currently known 2025 advisory set, that appears to mean at least:

starlette>=0.49.1

Actual behavior

FastAPI 0.135.1 still publishes:

starlette>=0.46.0

which permits Starlette releases within advisory-affected ranges.

Local Environment

This local workspace is not itself affected by the dependency-floor issue at runtime.

Versions in the tested environment:

• FastAPI: 0.135.1
• Starlette: 0.52.1
• Python: 3.12.3
• Pydantic: 2.12.5

So the concern is about the published dependency constraint, not the currently
installed Starlette version here.

Operating System

Linux

Operating System Details

Linux-6.17.9-76061709-generic-x86_64-with-glibc2.39

FastAPI Version

0.135.1

Pydantic Version

2.12.5

Python Version

3.12.3

Additional Context

Starlette Version

0.52.1 locally installed during testing

Sources:

• https://github.com/advisories/GHSA-2c2j-9gv5-cj73
• https://github.com/advisories/GHSA-7f5h-v6xp-fcq8

The main request here is not a code change in FastAPI runtime logic, but a packaging
change so that the minimum Starlette version excludes known vulnerable releases.

Suggested dependency update:

dependencies = [
    "starlette>=0.49.1",
    "pydantic>=2.7.0",
    "typing-extensions>=4.8.0",
    "typing-inspection>=0.4.2",
    "annotated-doc>=0.0.2",
]