{"uuid": "b2a75a7b-5e7e-4257-94fc-5fc1430a8af2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48710", "type": "seen", "source": "https://gist.github.com/ftnext/024e0a57b95821714e2c6081d3e6d533", "content": "# https://github.com/ftnext/fastapi-playground/blob/eb6dd9b7861ced2168a24d7c27647af0e4b5f175/starlette-cve-2026-48710-badhost/run_starlette_app.py\n# https://x41-dsec.de/lab/advisories/x41-2026-002-starlette/\nfrom starlette.applications import Starlette\nfrom starlette.middleware import Middleware\nfrom starlette.middleware.base import BaseHTTPMiddleware\nfrom starlette.responses import PlainTextResponse\nfrom starlette.routing import Route\nfrom starlette.testclient import TestClient\n\n\nclass AuthMiddleware(BaseHTTPMiddleware):\n    async def dispatch(self, request, call_next):\n        print(f\"{request.url=}, {request.url.path=}\")\n        if request.url.path == \"\" or request.url.path == \"/\":\n            return await call_next(request)\n        return PlainTextResponse(\"Forbidden\\n\", status_code=403)\n\n\nasync def root(request):\n    return PlainTextResponse(\"Hello, world\\n\")\n\n\nasync def admin(request):\n    return PlainTextResponse(\"secret=123\\n\")\n\n\nroutes = [\n    Route(\"/\", endpoint=root),\n    Route(\"/admin\", endpoint=admin),\n]\napp = Starlette(routes=routes, middleware=[Middleware(AuthMiddleware)])\n\nclient = TestClient(app)\n\nres1 = client.get(\"/admin\", headers={\"Host\": \"foo\"})\nassert res1.status_code == 403, f\"{res1.text=}\"\nres2 = client.get(\"/admin\", headers={\"Host\": \"foo?\"})\nassert res2.status_code == 403, f\"{res2.text=}\"\n", "creation_timestamp": "2026-05-30T13:29:46.000000Z"}