Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
  • Records
  • Legit.Health Plus Version 1.1.0.0
    • CAPA Plan - BSI CE Mark Closeout
    • Index
    • Overview and Device Description
    • Information provided by the Manufacturer
    • Design and Manufacturing Information
      • R-TF-012-019 SOUPs
        • Aioboto3
        • Albumentations
        • Argon2-CFFI
        • Authlib
        • Boto3
        • Dependency Injector
        • Dill
        • FastAPI
        • PyTorch Grad-CAM
        • Httpx
        • NumPy
        • PyNVML
        • OpenCV
        • Pillow
        • Psutil
        • Pydantic
        • Pydantic Settings
        • PyYAML
        • Segmentation Models PyTorch
        • Starlette
        • Timm
        • PyTorch
        • TorchVision
        • Ultralytics YOLO
        • Uvicorn
      • R-TF-012-028 Software Requirement Specification
      • R-TF-012-029 Software Architecture Description
      • R-TF-012-030 Software Configuration Management Plan
      • R-TF-012-031 Product requirements specification
      • R-TF-012-037 Labeling and IFU Requirements
      • R-TF-012-040 Documentation level FDA
      • R-TF-012-041 Software Classification 62304
      • R-TF-012-043 Traceability Matrix
      • Review meetings
    • GSPR
    • Benefit-Risk Analysis and Risk Management
    • Product Verification and Validation
    • Post-Market Surveillance
  • Legit.Health Plus Version 1.1.0.1
  • Legit.Health version 2.1 (Legacy MDD)
  • Legit.Health Utilities
  • Licenses and accreditations
  • Applicable Standards and Regulations
  • BSI Non-Conformities
  • Pricing
  • Public tenders
  • Legit.Health Plus Version 1.1.0.0
  • Design and Manufacturing Information
  • R-TF-012-019 SOUPs
  • Starlette

Starlette

General Information​

FieldValue
Package Namestarlette
Manufacturer / VendorEncode OSS Ltd. (Tom Christie and contributors)
Software CategoryFramework
Primary DocumentationDocumentation, GitHub, PyPI
Programming Language(s)Python
LicenseBSD 3-Clause License
Deployed Version(s)>=0.49.0 (version-locked at 0.50.0)
Most Recent Available Version0.52.1
Last Review Date2026-01-27

Overview​

Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit designed for building high-performance async web services in Python. It provides the foundational components for modern Python web applications, including routing, middleware, WebSocket support, and background tasks. Starlette is the underlying framework upon which FastAPI is built, inheriting its core ASGI capabilities and request/response handling.

Within the medical device software, Starlette provides essential low-level ASGI primitives that extend FastAPI's capabilities for cross-cutting concerns. It is integrated into the legithp-essentials shared library and the API gateway application, where it serves the following purposes:

  • Correlation ID middleware: The CorrelationIdMiddleware in legithp_essentials.correlation extends Starlette's BaseHTTPMiddleware to implement distributed request tracing. This middleware extracts or generates correlation IDs for each HTTP request, propagates them through the context to downstream microservices, and includes them in response headers for end-to-end request tracking across all AI expert services
  • API call recording middleware: The CallRecorderMiddleware in the API gateway uses Starlette's middleware infrastructure to intercept all requests and responses, capturing metadata for audit logging and compliance tracking
  • Application lifecycle management: The Lifespan type from Starlette is used to define async context managers for managing application startup and shutdown sequences, including initialization of background sync managers for call record resilience

Starlette was selected because it is the native foundation of FastAPI (the device's primary web framework), provides a clean middleware API for implementing cross-cutting concerns without framework coupling, offers strong async/await support critical for high-throughput API operations, and uses a permissive BSD license compatible with commercial medical device software.

Functional Requirements​

The following functional capabilities of this SOUP are relied upon by the medical device software.

Requirement IDDescriptionSource / Reference
FR-001Provide base class for implementing HTTP middleware with request/response lifecyclestarlette.middleware.base.BaseHTTPMiddleware
FR-002Define ASGI application type for middleware compositionstarlette.types.ASGIApp
FR-003Define lifespan context manager type for application lifecycle hooksstarlette.types.Lifespan
FR-004Support async dispatch method for processing requests and responsesBaseHTTPMiddleware.dispatch()
FR-005Provide access to request headers, body, and client informationRequest object properties
FR-006Enable response header modification for adding correlation IDsResponse.headers dictionary

Performance Requirements​

The following performance expectations are relevant to the medical device software.

Requirement IDDescriptionAcceptance Criteria
PR-001Middleware dispatch shall complete without blocking the event loopNo synchronous blocking operations in middleware chain
PR-002Middleware overhead shall not significantly impact API response latencyMiddleware processing time < 5% of total request handling time
PR-003Memory usage shall remain stable during sustained request processingNo memory leaks during continuous middleware operation

Hardware Requirements​

The following hardware dependencies or constraints are imposed by this SOUP component.

Requirement IDDescriptionNotes / Limitations
HR-001x86-64 or ARM64 processor architecturePre-built wheels available for common platforms
HR-002Sufficient memory for async operationsMemory scales with concurrent request count

Software Requirements​

The following software dependencies and environmental assumptions are required by this SOUP component.

Requirement IDDescriptionDependency / Version Constraints
SR-001Python runtime environmentPython >=3.10
SR-002AnyIO for async abstraction layeranyio >=3.6.2 (bundled dependency)
SR-003ASGI server for production deploymentuvicorn, hypercorn, or daphne
SR-004FastAPI integration for HTTP frameworkFastAPI inherits Starlette's ASGI foundations

Known Anomalies Assessment​

This section evaluates publicly reported issues, defects, or security vulnerabilities associated with this SOUP component and their relevance to the medical device software.

Anomaly ReferenceStatusApplicableRationaleReviewed At
CVE-2025-62727 (FileResponse Range header ReDoS)FixedNoReDoS vulnerability (CVSS 7.5 HIGH) affecting versions 0.39.0 through 0.49.0 in FileResponse Range parsing; the device uses version-locked 0.50.0 which includes the fix2026-01-27
CVE-2025-54121 (Multipart form parsing DoS)FixedNoDoS vulnerability (CVSS 5.3 MEDIUM) affecting versions <=0.47.1 where multipart form handling blocks event loop; fixed in 0.47.2, device uses 0.50.02026-01-27
CVE-2024-47874 (MultipartParser)FixedNoDoS in multipart parsing with Content-Disposition headers; fixed in 0.40.0, device uses 0.50.02026-01-27

Starlette is actively maintained by Encode OSS Ltd. with a robust security response process. The project maintains a security policy and uses GitHub Security Advisories for coordinated disclosure. According to Snyk's vulnerability database, historical vulnerabilities have been promptly addressed in subsequent releases.

The device's usage pattern minimizes attack surface exposure:

  • Limited feature usage: The device uses only middleware base classes and type definitions from Starlette; it does not use FileResponse, StaticFiles, or multipart form parsing directly through Starlette APIs
  • Version locking: Requirements lock files pin Starlette to version 0.50.0, which includes fixes for all known critical and high-severity vulnerabilities
  • Indirect dependency: Starlette is primarily used as the underlying framework for FastAPI; high-level request handling goes through FastAPI's validated interfaces
  • No file serving: The device does not serve static files or use FileResponse, eliminating exposure to CVE-2025-62727
  • API-focused architecture: The device uses JSON request/response patterns rather than multipart form uploads at the Starlette layer

Risk Control Measures​

The following risk control measures are implemented to mitigate potential security and operational risks associated with this SOUP component:

  • Version locking via requirements_lock.txt ensures reproducible, auditable deployments with known-secure versions
  • Limited API surface usage (only middleware base classes and types)
  • FastAPI abstraction layer provides additional validation and security controls
  • All API endpoints are authenticated and rate-limited, reducing exposure to DoS attacks

Assessment Methodology​

The following methodology was used to identify and assess known anomalies:

  • Sources consulted:

    • National Vulnerability Database (NVD) search for "starlette"
    • GitHub Security Advisories for encode/starlette
    • Snyk vulnerability database
    • PyPI package security reports
    • Encode OSS security announcements

  • Criteria for determining applicability:

    • Vulnerability must affect deployed version (0.50.0)
    • Vulnerability must be exploitable in the device's operational context (middleware-only usage)
    • Attack vector must be reachable through the device's interfaces (no file serving, no direct multipart handling)
    • The specific Starlette components used must be affected

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: Team members involved
  • Reviewer: JD-003 Design & Development Manager, JD-004 Quality Manager & PRRC
  • Approver: JD-001 General Manager
ㅤ

Previous
Segmentation Models PyTorch
Next
Timm
  • General Information
  • Overview
  • Functional Requirements
  • Performance Requirements
  • Hardware Requirements
  • Software Requirements
  • Known Anomalies Assessment
    • Risk Control Measures
    • Assessment Methodology
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI Labs Group S.L.)