Summary
CVE-2026-48710, dubbed "BadHost," is a Host header authentication bypass vulnerability in Starlette, the lightweight Python ASGI framework underlying FastAPI, vLLM, LiteLLM, MCP servers, and a broad ecosystem of AI agent infrastructure. Affecting all Starlette releases from version 0.8.3 through 1.0.0, the flaw enables unauthenticated remote attackers to bypass path-based security middleware by injecting a single malformed character into the HTTP Host request header. The vulnerability was discovered by X41 D-Sec during an OSTIF-sponsored security audit of vLLM and carries a CVSS v3.1 base score of 6.5 (Medium), though security researchers assessed the real-world impact as materially more severe than the score reflects.
Technical details
- Root cause: Starlette reconstructs
request.urlby concatenating the raw HTTPHostheader with the request path using the patternf"{scheme}://{host_header}{path}", without first validating theHostvalue against RFC 9112 3.2 or RFC 3986 3.2.2. Special characters such as/,?, and#in theHostheader shift where the path, query, and fragment boundaries are parsed in the resulting URL string. - Trigger conditions: Any middleware or endpoint that makes security decisions based on
request.urlorrequest.url.path— rather than the raw ASGIscope['path']— is vulnerable. No authentication, victim interaction, or special server configuration is required. - Attack vector: An attacker sends an HTTP request with a crafted
Hostheader containing a path-separator character. For example, aHostvalue ofexample.com?causes Starlette to present middleware with a sanitized allowlisted path (e.g.,/health) while the underlying router dispatches the actual request to a protected endpoint (e.g.,/admin). Requests returning403 Forbiddenwith a normalHostheader return200 OKwith a single appended?character. A one-linecurlcommand is sufficient to trigger the bypass; no special tooling is required. - Impact: Complete authentication bypass for any path-based security control implemented in Starlette middleware or endpoints. Researchers at X41 D-Sec further identified that in certain deployment patterns the bypass can chain into Server-Side Request Forgery (SSRF) against cloud metadata services, and in environments where protected endpoints expose model loading or tool execution, potentially into Remote Code Execution (RCE). Multiple public proof-of-concept exploits are available, including a dedicated online scanner at badhost.org.
Affected software
- Starlette versions 0.8.3 through < 1.0.1
- FastAPI (all releases depending on an affected Starlette version)
- vLLM, LiteLLM, text-generation-inference, and other frameworks built on top of Starlette
- MCP servers and AI agent harnesses built on Starlette-based frameworks
Severity
CVSS v3.1 Base Score: 6.5 (Medium)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Mitigation and recommended actions
- Immediate action: Upgrade to Starlette 1.0.1 or later. Version 1.0.1 validates the
Hostheader against RFC 9112 §3.2 / RFC 3986 §3.2.2 and falls back toscope["server"]for malformed values. FastAPI, vLLM, LiteLLM, and all dependent frameworks should be updated to releases pinned to Starlette ≥ 1.0.1. All containers and bundled virtual environments must be rebuilt and redeployed. - If immediate patching is not feasible:
- Deploy a compliant reverse proxy (such as nginx or Apache) in front of the Starlette application; properly configured proxies will normalize or reject malformed
Hostheaders before they reach Starlette. - Audit middleware and endpoint security logic to ensure all security decisions reference
scope['path']rather thanrequest.url.path. - Restrict network access to exposed Starlette-based services where possible.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.