Open GhimBoon opened 2 days ago
The Chainlit codebase currently specifies a dependency on Starlette with the version constraint ^0.37.2
, which means it is compatible with versions >=0.37.2, <0.38.0
[1]. To address the CVE-2024-47874 vulnerability, you will need to update the Starlette version to 0.40.0
or higher. However, this update will conflict with the current version constraint specified in the pyproject.toml
file. You will need to modify the version constraint to allow for Starlette 0.40.0
or higher and ensure that there are no other dependencies that might conflict with this update.
To continue talking to Dosu, mention @dosu.
Describe the bug starlette < 0.40.0 is vulnerable to CVE-2024-47874
https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw
To Reproduce
curl http://localhost:8000 -F 'big=</dev/urandom'
Expected behavior Server should not be vulnerable to easy to reproduce DOS attack.