Encode

By the Year

In 2026 there have been 0 vulnerabilities in Encode. Last year, in 2025 Encode had 1 security vulnerability published. Right now, Encode is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Encode Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-62727	Oct 28, 2025	Starlette FileResponse CPU Exhaustion via Range Header (0.49.0) Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denialofservice for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.	Starlette
CVE-2024-24762	Feb 05, 2024	ReDoS: Content-Type parsing in python-multipart v0.0.6 or below `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.	Starlette
CVE-2023-29159	Jun 01, 2023	Directory Traversal in Starlette 0.13.5<0.27.0 (remote, unauthenticated) Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.	Starlette
CVE-2023-30798	Apr 21, 2023	Excessive Memory DoS via MultipartParser in Starlette <0.25.0 There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.	Starlette
CVE-2021-41945	Apr 28, 2022	Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL` Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.	Httpx
CVE-2020-25626	Sep 30, 2020	A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2 A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.	Django Rest Framework
CVE-2020-7695	Jul 27, 2020	Uvicorn before 0.11.7 is vulnerable to HTTP response splitting Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.	Uvicorn