{"uuid": "3b5d7360-4bf0-4c24-91db-66f39266ce4c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48710", "type": "seen", "source": "https://gist.github.com/ftnext/074404c5d80f15c7c37295f2b36e5516", "content": "# https://github.com/ftnext/fastapi-playground/blob/aeda2c2992f446a58bf43f176b31ad523d85715f/starlette-cve-2026-48710-badhost/run_fastapi_app.py\nfrom fastapi import FastAPI, Request\nfrom fastapi.responses import PlainTextResponse\nfrom fastapi.testclient import TestClient\n\napp = FastAPI()\n\n\n@app.middleware(\"http\")\nasync def auth_middleware(request: Request, call_next):\n    print(f\"{request.url=}, {request.url.path=}\")\n    if request.url.path == \"/\":\n        return await call_next(request)\n    return PlainTextResponse(\"Forbidden\\n\", status_code=403)\n\n\n@app.get(\"/\")\nasync def root():\n    return PlainTextResponse(\"Hello, world\\n\")\n\n\n@app.get(\"/admin\")\nasync def admin():\n    return PlainTextResponse(\"secret=123\\n\")\n\n\nclient = TestClient(app)\n\nres1 = client.get(\"/admin\", headers={\"Host\": \"foo\"})\nassert res1.status_code == 403, f\"{res1.text=}\"\nres2 = client.get(\"/admin\", headers={\"Host\": \"foo/?\"})\nassert res2.status_code == 403, f\"{res2.text=}\"\n", "creation_timestamp": "2026-05-30T13:26:41.000000Z"}