new | ask | show | jobs
nickcw 12 hours ago  [ - ]

If you read the advisory and are wondering what starlette is, from it's web page: starlette is a lightweight ASGI framework/toolkit, which is ideal for building async web services in Python.

It's used a lot in the data heavy AI world for it's efficiency shipping large files. This includes lots and lots of production servers.

From the advisory: this includes LLM inference servers like vLLM, LLM proxy servers like LiteLLM, AI agent frameworks, MCP gateways, and custom APIs. MCP servers are especially at risk because the MCP spec mandates unauthenticated OAuth discovery endpoints, providing a reliable path for exploitation.

alex_suzuki 12 hours ago  [ - ]

Notably, Starlette powers FastAPI, an extremely popular Python framework for building HTTP services.

spennant 8 hours ago  [ - ]

Is this still true?

b40d-48b2-979e 7 hours ago  [ - ]

You may be thinking of Litestar (previously named Starlite) that was based on Starlette akin to FastAPI but then went their own direction implementing a framework rather than relying on an upstream for their core product.

flowardnut 3 hours ago  [ - ]

https://github.com/fastapi/fastapi/blob/master/pyproject.tom...

discord23 8 hours ago  [ - ]

Yes, it's literally the first bullet point on the project's website.

sedimannapoleon 7 hours ago  [ - ]

[dead]

hsbauauvhabzb 11 hours ago  [ - ]

Ironically typing ‘make sure my server is secure’ into an LLM either wasn’t done, or missed it until now.

wongarsu 9 hours ago  [ - ]

The posted page has an entire section titled "Why didn't Mythos find this?"

tl;dr: the bug spans three components in different code bases that when looked at in isolation each do reasonable things. The bug is in the interaction, in the assumed properties of the value that eventually gets exposed as request.url.path. That was apparently too subtle for current Anthropic models to spot

hsbauauvhabzb 8 hours ago  [ - ]

So an LLM was unable to reason about a codebase to find cross-library vulnerabilities.

Your response was a weak excuse, it’s a clear demonstration of the shortcomings of LLMs which will inevitably cause headlines in the future.

wongarsu 7 hours ago  [ - ]

If you point an LLM at a middleware and ask it to find vulnerabilities, then not finding this is a shortcoming.

Whether "LLM failed to spot vulnerability that took humans 8 years to find" is a great headline about shortcomings of LLMs is questionable, but it is a good example of a category of bug that is particularly hard to spot for humans and LLMs alike

saghm 5 hours ago  [ - ]

When the past month has been full of headlines claiming that Mythos et al. will be the end of secure software as well know it, it's fair game to emphasize the places we know already are not going to be covered by them.