Does FastAPI 0.111.0 have a security vulnerability?

FastAPI 0.111.0 uses starlette 0.37.2 which has CVE-2024-47874 (DoS via multipart). Update to FastAPI 0.115.0+ which uses starlette 0.40.0+.

What is the safe version of FastAPI in 2026?

FastAPI 0.115.0+ with starlette 0.40.0+. Use pip install fastapi --upgrade.

FastAPI Migration Guide — 0.x to 0.115.x Breaking Changes

5 min read · Updated April 2026 · Safe version: FastAPI 0.115.0+ with starlette 0.40.0+

Safe version

FastAPI 0.115.0+ with starlette 0.40.0+. FastAPI 0.111.0 uses starlette 0.37.2 which has CVE-2024-47874. Update to 0.115.0+ to get the patched starlette.

FastAPI 0.111.0 — starlette dependency issue

FastAPI 0.111.0 requires starlette>=0.37.2,<0.38.0. starlette 0.37.x has CVE-2024-47874 (DoS via multipart form data). FastAPI 0.115.0+ updates this to starlette 0.40.0+ which patches the CVE.

# Check what you have
pip show fastapi starlette | grep -E "Name:|Version:"

# Fix — update to safe version
pip install fastapi --upgrade

# Or pin in requirements.txt
fastapi>=0.115.0
starlette>=0.40.0

Key changes by version

Version	starlette	Status	Key change
0.115.0+	0.40.0+	SAFE	Patches CVE-2024-47874
0.111.0	0.37.2	VULNERABLE	starlette DoS via multipart
0.104.1	0.27.0	VULNERABLE	starlette path traversal CVE

Breaking changes — older versions to 0.115.x

Pydantic v1 no longer supported

FastAPI 0.100.0+ requires Pydantic v2. If you are on Pydantic v1, you must migrate Pydantic before upgrading FastAPI above 0.99.x.

# Check your pydantic version
pip show pydantic | grep Version

# If pydantic 1.x — upgrade pydantic first
pip install pydantic --upgrade

# Then upgrade fastapi
pip install fastapi --upgrade

Response model changes in 0.100+

# Old pattern (still works but deprecated)
@app.get("/items", response_model=List[Item])
async def get_items():
    return items

# New pattern (0.100+)
from typing import Annotated
@app.get("/items")
async def get_items() -> list[Item]:
    return items

Common errors when upgrading

ImportError: cannot import name 'validator' from 'pydantic'

ImportError: cannot import name 'validator' from 'pydantic'

Pydantic v2 removed @validator. Replace with @field_validator.

# Pydantic v1
from pydantic import validator

class Item(BaseModel):
    name: str
    @validator('name')
    def name_must_not_be_empty(cls, v):
        if not v:
            raise ValueError('name cannot be empty')
        return v

# Pydantic v2
from pydantic import field_validator

class Item(BaseModel):
    name: str
    @field_validator('name')
    @classmethod
    def name_must_not_be_empty(cls, v):
        if not v:
            raise ValueError('name cannot be empty')
        return v

ValidationError format changed

Pydantic v2 ValidationError format changed. If you catch and parse ValidationError messages, update your error handling.

After updating - verify your fix

Run these commands to confirm the update worked:

# npm projects
npm list multer
npm list node-fetch

# Python projects
pip show fastapi | grep Version
pip show flask | grep Version

# Scan your full manifest for other vulnerabilities
# Paste your requirements.txt or package.json into PackageFix

Paste your full manifest into PackageFix to check all packages at once.

Scan your full manifest — PackageFix checks all 7 ecosystems against OSV and CISA KEV.

Scan with PackageFix →

Free · No signup · No CLI required

Vulnerability data sourced from the OSV database and public package registries. Always test dependency updates in a staging environment before deploying to production. PackageFix provides these tools for informational purposes only and cannot guarantee that pinned versions are free from undiscovered vulnerabilities.