Skip to content

chore(deps): bump starlette to 1.0.1#2366

Closed
Odilhao wants to merge 1 commit into
RedHatInsights:masterfrom
Odilhao:fix/cve-2026-48710-starlette-master
Closed

chore(deps): bump starlette to 1.0.1#2366
Odilhao wants to merge 1 commit into
RedHatInsights:masterfrom
Odilhao:fix/cve-2026-48710-starlette-master

Conversation

@Odilhao

@Odilhao Odilhao commented May 29, 2026

Copy link
Copy Markdown

Bumps starlette to 1.0.1 to fix CVE-2026-48710.

CVE: CVE-2026-48710 — Starlette: Security restriction bypass via malformed HTTP Host header. Missing Host header validation poisons `request.url.path`, allowing path-based security checks to be bypassed.

Fix version: starlette 1.0.1
Advisory: GHSA-86qp-5c8j-p5mr

@github-actions

Copy link
Copy Markdown
Contributor

SC Environment Impact Assessment

Overall Impact:NONE

No SC Environment-specific impacts detected in this PR.

What was checked

This PR was automatically scanned for:

  • Database migrations
  • ClowdApp configuration changes
  • Kessel integration changes
  • AWS service integrations (S3, RDS, ElastiCache)
  • Kafka topic changes
  • Secrets management changes
  • External dependencies

@Odilhao
Odilhao force-pushed the fix/cve-2026-48710-starlette-master branch from 9ff0962 to 82e2c64 Compare May 29, 2026 00:32
@Odilhao Odilhao changed the title fix(deps): bump starlette from 1.0.0 to 1.0.1 (CVE-2026-48710) chore(deps): bump starlette to 1.0.1 May 29, 2026
@Odilhao
Odilhao force-pushed the fix/cve-2026-48710-starlette-master branch from 82e2c64 to 3718bf4 Compare May 29, 2026 00:42

@jdobes jdobes left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Poetry lock and requirements.txt are not matching, you need to update both

@Odilhao
Odilhao force-pushed the fix/cve-2026-48710-starlette-master branch from 3718bf4 to 844048d Compare May 29, 2026 11:54
@Odilhao

Odilhao commented May 29, 2026

Copy link
Copy Markdown
Author

Updated — poetry.lock now includes starlette 1.0.1 (hashes verified against PyPI). Both requirements.txt and poetry.lock are in sync.

@jdobes

jdobes commented Jun 2, 2026

Copy link
Copy Markdown
Member

Master already fixed with other deps

@jdobes jdobes closed this Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants