FastAPI 0.111.0 - starlette dependency

FastAPI 0.111.0 requires starlette 0.37.2+. Update to FastAPI 0.115.0+ which uses starlette 0.40.0+ patching CVE-2024-47874.

Latest safe version: FastAPI 0.115.0+ - use pip install fastapi --upgrade

FastAPI security — April 2026: No critical CVE has been issued for FastAPI core in April 2026. The most recent security-relevant change is FastAPI 0.115.0+ updating starlette to 0.40.0+ which patches CVE-2024-47874 (DoS via multipart). If you are seeing security scanner alerts for FastAPI, check whether the vulnerability is in starlette, pydantic, or uvicorn rather than FastAPI itself.

FastAPI 0.115.0 — released May 2026

FastAPI 0.115.0 is the current safe version. It requires starlette 0.40.0+ which patches CVE-2024-47874. If you are on 0.111.0, update now: pip install fastapi --upgrade

All FastAPI CVEs — Complete Vulnerability History

Last updated: April 1, 2026 · Data: OSV Database

FastAPI is Python's fastest-growing web framework. Its CVEs come primarily through Starlette (its ASGI foundation) and pydantic (its validation layer).

PyPI 20M+ weekly downloads 1 CVE total

Full CVE history

CVE	Year	Severity	Description	Fix
CVE-2024-24762	2024	HIGH	ReDoS via crafted multipart form data	Fixed 0.109.1

Current safe version: 0.109.1

# Before
fastapi==0.100.0

# After
fastapi==0.109.1

Then run: pip install -r requirements.txt

FastAPI CVEs — what you actually need to fix

FastAPI has a minimal direct CVE history. Most "FastAPI vulnerabilities" are in its dependencies: starlette, pydantic, or uvicorn. When pip-audit flags FastAPI, the vulnerable package is almost always starlette.

# Check FastAPI's actual dependencies
pip show fastapi | grep Requires
# Requires: starlette, pydantic, typing-extensions

# The vulnerable package in most FastAPI audits
pip show starlette | grep Version

Known FastAPI dependency CVEs

Package	CVE	Safe Version
starlette	CVE-2024-47874	0.40.0+
starlette	CVE-2023-29159	0.27.0+
pydantic	CVE-2024-3772	2.7.0+

Fix FastAPI dependency vulnerabilities

# Update FastAPI and all its dependencies together
pip install fastapi[all] --upgrade

# Or pin specific versions in requirements.txt
fastapi>=0.111.0
starlette>=0.40.0
pydantic>=2.7.0

pip install -r requirements.txt

FastAPI security best practices

Beyond CVEs, the most common FastAPI security issues are: missing authentication on routes, CORS misconfiguration allowing all origins, and unvalidated file uploads. Use FastAPI's built-in Depends for auth and always configure CORS explicitly.

# Explicit CORS — never use allow_origins=["*"] in production
app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://yourdomain.com"],
    allow_credentials=True,
    allow_methods=["GET", "POST"],
    allow_headers=["Authorization"],
)

Paste your manifest — get a fixed version with all CVEs patched in seconds.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

Does FastAPI have many direct CVEs?

FastAPI itself has very few direct CVEs — most FastAPI security issues come through Starlette or pydantic. Keeping the full stack updated together is the safest approach.