DigiNews

Summary

BadHost reports a vulnerability in Starlette < 1.0.1 where the Host header is used to construct request.url, enabling an attacker to bypass path-based authentication middleware. The write-up highlights widespread impact on AI infrastructure (vLLM, LiteLLM, MCP servers) and outlines scanning, PoC availability, and multiple mitigations. It also provides fixes such as upgrading Starlette, using route-based security (Depends/Security), and deploying a reverse proxy.