LIVE
OPUS 4.7$15 / $75per Mtok
SONNET 4.6$3 / $15per Mtok
GPT-5.5$10 / $30per Mtok
GEMINI 3.1$3.50 / $10.50per Mtok
SWE-BENCHleader Claude Opus 4.772.1%
MMLU-PROleader Opus 4.788.4
VALS FINANCEleader Opus 4.764.4%
AFTAv1.0 whitepaper live at /whitepaper
OPUS 4.7$15 / $75per Mtok
SONNET 4.6$3 / $15per Mtok
GPT-5.5$10 / $30per Mtok
GEMINI 3.1$3.50 / $10.50per Mtok
SWE-BENCHleader Claude Opus 4.772.1%
MMLU-PROleader Opus 4.788.4
VALS FINANCEleader Opus 4.764.4%
AFTAv1.0 whitepaper live at /whitepaper
All systems operational0 AI providers monitored, polled every 2 minutes
Live status
Back to Originals

Starlette Just Shipped a Critical CVE. If Your Agent Has FastAPI Anywhere in Its Stack, This Is Yours.

Ripper··4 min read
SharePost on XLinkedInHacker News
SECURITY

Dan Goodin at Ars Technica reported yesterday afternoon that a critical vulnerability nicknamed BadHost was found in Starlette. If you do not run agents in production you can stop reading here. If you do, I am going to spend the next four minutes on the audit you should run today, the dependency surface that actually matters, and the feeds I am using to verify exposure across our own stack at TensorFeed.

Why this is a big deal in three numbers: Starlette is downloaded roughly 325 million times a week. Starlette is the ASGI toolkit that ships inside FastAPI, which is the default backend for almost every AI agent server, MCP gateway, and tool-calling middleware built in Python since 2023. The blast radius is wide enough that Ars used the word "millions of AI agents" in the headline and did not exaggerate.

Why Agents Got Hit Disproportionately

The agent stack standardized on FastAPI faster than any prior backend cohort. The default MCP server template uses FastAPI. The reference x402 facilitator uses FastAPI. Most of the model gateways I have read source code on this year use FastAPI. Three reasons. It is async-first, the type hints map naturally to tool schemas, and the documentation reads well when you are writing it in two hours between other commitments.

What that means in supply-chain terms: a single transitive dependency that runs under FastAPI is now load-bearing for a category of software that did not exist when Starlette was first written. The library was designed for plain HTTP services. It is now hosting identity, payment, and capability surfaces for autonomous agents. That is a bigger attack surface than the maintainers signed up for, and the BadHost CVE is the first public reminder of it.

The Five-Minute Audit

Run these four checks before you do anything else today.

First, find every service in your portfolio that has FastAPI or Starlette in its dependency tree, including transitive. If you use pip-tools or uv, this is uv tree | grep -E starlette. For Poetry, poetry show --tree | grep -i starlette. For Docker images, scan the layers with Syft or Grype. Do not trust the top-level requirements file; transitive pulls are how Starlette got into half of the services that do not import it directly.

Second, capture the installed version. The Ars piece does not name the affected range inline, so until the GitHub Security Advisory entry settles, pin to whatever the maintainers ship as the fixed version and treat anything below it as exposed.

Third, audit your external exposure. An agent server that only talks to internal services has a different threat model than one with public x402 endpoints. If you operate paid agent surfaces, the public-facing endpoints are the ones that need patching first. Internal-only agents can wait for the next deploy window, but should be tracked.

Fourth, write down what you did. CVE handling is a discipline. If you do not log the audit, the next person on the same machine cannot tell whether you patched. A note in your team channel with the date, the affected services, and the patch status is enough.

The Feeds I Am Using

We ship a few endpoints that exist for exactly this kind of day. The two I am hitting first:

The ai-cves latest feed surfaces the AI-stack CVE cohort our DataPal pipeline pulls daily, with affected products flat-listed and ranked by severity. Starlette landed in that cohort this morning; the AI-stack-vendors curated list covers the inference, agent framework, vector DB, and gateway tiers, and FastAPI sits in the agent-framework bucket. If you operate at scale, the premium ai-stack-cves derivation gives you the filtered + categorized view in one paid call.

The AI supply-chain IOC feed covers the broader npm and PyPI malware advisories filtered for AI relevance. Starlette is not a malware case (this is a CVE, not a supply-chain compromise), but the same feed is the one to watch for the next post-BadHost wave of opportunistic attacks. Bug disclosures attract scanning traffic; expect probe volume on FastAPI endpoints to rise over the next 72 hours.

For a single-package lookup, the ai-cves batch endpoint (shipped yesterday as Wave 15) lets you pass up to 10 CVE ids in one call. Most agent stacks pull on the order of 50 to 200 packages; a one-shot batch over the top 10 load-bearing ones is faster than 10 round trips.

The Structural Lesson

The thing I keep coming back to is that the agent stack inherited a supply chain that was built for a different shape of software. Starlette did not become a critical dependency by accident. It became a critical dependency because FastAPI did, and FastAPI did because the agent ecosystem standardized on it faster than any other Python web framework has standardized on anything in the last decade.

The lesson is not that Starlette is bad or FastAPI is bad. The lesson is that concentration in the dependency graph creates blast-radius risk that scales with the asset value sitting on top of it. An MCP server that holds an Anthropic API key worth tens of dollars in spend is a different risk surface than a Flask app serving a static dashboard. The dependency hygiene needs to be calibrated to what is on top of it.

Concretely, that means three habits going forward. Pin transitive dependencies, not just top-level. Subscribe to the upstream security advisory for every framework that holds authentication, payment, or model-API access. Audit the dependency tree quarterly, not annually. None of this is new to anyone who has shipped production software for ten years. It is new to a lot of the people shipping agents today.

Our Take

BadHost is not the last critical CVE the agent ecosystem will absorb this year. It is probably not even the worst one. The interesting question is whether the agent operator population builds the dependency-hygiene reflexes the rest of the production-software world had to learn in the 2010s, or whether the field assumes the upstream maintainers will keep absorbing the risk for free. The 325-million-weekly-download number is the tell that the second assumption is the dominant one right now.

The five-minute audit is real. The feeds are live. The CVE catalog is growing. Patch Starlette today, write the dependency-hygiene playbook this week, and treat the next BadHost-class disclosure as a calibration event for your operator instincts. The alternative is the agent your model gateway is running becoming the lateral-movement surface for the next breach. Nobody who ships agents in production wants that on their resume.

Back to OriginalsBack to Feed