Starlette
Endless Lifecycle Support (ELS) for Libraries from TuxCare provides security fixes for Starlette. This allows you to continue running your Starlette applications without vulnerability concerns, even after official support has ended.
Supported Starlette Versions
- Starlette 0.13.6, 0.27.0
Other versions upon request.
Connection to ELS for Starlette Repository
This guide outlines the steps needed to integrate the TuxCare ELS for Starlette repository.
Step 1: Get user credentials
You need a username and password in order to use TuxCare ELS for Starlette repository. Anonymous access is disabled. To receive the credentials please contact sales@tuxcare.com.
Step 2: Set Up ELS for Starlette
To use TuxCare's ELS for Starlette, follow one of the options below:
Option 1: Install a Package with ELS Repository via Command Line
You can install or upgrade a package directly using the ELS repository with your credentials:
pip install --upgrade \
-i https://<username>:<password>@nexus.repo.tuxcare.com/repository/els_python/simple \
starlette
Replace <username> and <password> with the credentials provided by sales.
Option 2: Configure pip to Use the ELS Repository (Full Replacement)
This method is recommended if you want to use only ELS-patched Python packages from TuxCare and replace the default PyPI source with the TuxCare ELS repository.
Create or update the
pipconfiguration file and add the following:[global] index-url = https://username:password@nexus.repo.tuxcare.com/repository/els_python/simpleRun the command to install the latest package version:
pip install --upgrade starletteOr install a specific patched TuxCare version, for example:
pip install starlette==0.27.0.post1+tuxcare
Option 3: Add the TuxCare ELS Repository as Additional (recommended)
If you want to keep using public PyPI and fetch only specific patched packages from TuxCare, use extra-index-url instead. In this configuration, make sure to specify the exact patched version (step 2 below), otherwise pip may install the version from public PyPI.
Create or update the
pipconfiguration file and add the following:[global] extra-index-url = https://username:password@nexus.repo.tuxcare.com/repository/els_python/simpleRun the command to install a specific patched TuxCare version, for example:
pip install starlette==0.27.0.post1+tuxcare
Upgrading to a Newer TuxCare Version
To upgrade to a newer TuxCare release (e.g., from version.post1+tuxcare to version.post2+tuxcare) use the same installation method you used above and specify the newer package version.
Vulnerability Exploitability eXchange (VEX)
VEX is a machine-readable format that tells you if a known vulnerability is actually exploitable in your product. It reduces false positives, helps prioritize real risks.
TuxCare provides VEX for Starlette ELS versions: security.tuxcare.com/vex/cyclonedx/els_lang_python/starlette/.
Resolved CVEs
Fixes for the following vulnerabilities are available in ELS for Starlette from TuxCare versions:
| CVE ID | Severity | Library | Vulnerable Versions | Safe Version |
|---|---|---|---|---|
| CVE-2025-54121 | Medium | starlette | <= 0.47.1 | 0.13.6.post1+tuxcare |
| CVE-2025-54121 | Medium | starlette | <= 0.47.1 | 0.27.0.post2+tuxcare |
| CVE-2024-47874 | High | starlette | < 0.40.0 | 0.13.6.post2+tuxcare |
| CVE-2024-47874 | High | starlette | < 0.40.0 | 0.27.0.post1+tuxcare |
| CVE-2023-30798 | High | starlette | < 0.25.0 | 0.13.6.post2+tuxcare |
| CVE-2023-29159 | High | starlette | >= 0.13.5, < 0.27.0 | 0.13.6.post2+tuxcare |
N/A (Not Available) means that the National Vulnerability Database (NVD) has registered this CVE, but an official CVSS severity score has not yet been assigned.
If you are interested in the TuxCare Endless Lifecycle Support, contact sales@tuxcare.com.
