An application can be exposed even if its developers never installed Starlette, because another component may have, X41 D-Sec said. Starlette has more than 400,000 dependent projects on GitHub, according to the firm.
Who is most exposed
Not every dependent project is equally at risk, X41 D-Sec said. Whether an application can be attacked comes down to how it is. The dividing line is the reverse proxy: A proxy such as nginx or Apache HTTP Server rejects the malformed request before it reaches the application, and production websites usually sit behind such a layer. Research, evaluation and development setups for AI software often do not, and many run the application server facing the network directly, it said.
