frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

BadHost – CVE-2026-48710: Starlette Host-Header Auth Bypass

https://badhost.org/
29•ylk•22h ago
https://arstechnica.com/information-technology/2026/05/milli...

Comments

ylk•22h ago
The URL was meant to be https://badhost.org, the site accidentally still has the old canonical meta tag.
ostif-derek•22h ago
This is a bad one. Rating it a medium understates how hard it hits thousands of downstream projects and billions of installs. People need to patch asap. I'm normally against the "giving a bug a name, logo, and website" trope, but this one is getting poor patch rates because of it being rated a medium and landing right before a big American holiday weekend.
acdha•6h ago
I agree it’s fairly bad on its own but it’s substantially mitigated if you aren’t exposing Starlette/FastAPI directly to the internet – if you use a CDN, load-balancer / API Gateway, or a fronting web server it’s likely that your service is protected since the attacks depend on characters which are not valid in DNS (and in the first couple of cases, likely need to match to route traffic to the right customer).

As an example, I just confirmed that both Cloudflare and AWS ALBs reject all of the attack patterns. Still not good, lateral movement is a time-honored tactic, etc. but it buys time to patch.

s2l•26m ago
From the link, on how the attack works:

An attacker can send a crafted request like GET /protected with a Host: example.com/health?x= header. The request will reach the /proteced path, but request.url would be https://example.com/health?x=/protected, and request.url.path would return /health instead of the real request path.

nickcw•24m ago
If you read the advisory and are wondering what starlette is, from it's web page: starlette is a lightweight ASGI framework/toolkit, which is ideal for building async web services in Python.

It's used a lot in the data heavy AI world for it's efficiency shipping large files. This includes lots and lots of production servers.

From the advisory: this includes LLM inference servers like vLLM, LLM proxy servers like LiteLLM, AI agent frameworks, MCP gateways, and custom APIs. MCP servers are especially at risk because the MCP spec mandates unauthenticated OAuth discovery endpoints, providing a reliable path for exploitation.

The Structural Barriers to AI Lawyers

https://www.diffuseai.pub/p/the-structural-barriers-to-ai-lawyers
23•benbreen•5d ago•16 comments

The Melancholy of Slaying Monsters

https://thereader.mitpress.mit.edu/the-strange-melancholy-of-slaying-monsters/
26•prismatic•12h ago•1 comments

What Gets Kept

https://www.newyorker.com/culture/the-weekend-essay/what-jack-kerouac-left-behind
16•lermontov•2d ago•1 comments

Cloudflare Flagship

https://developers.cloudflare.com/flagship/
201•tjek•8h ago•96 comments

That Methyl Methacrylate Tank

https://www.science.org/content/blog-post/methyl-methacrylate-tank
321•nooks•12h ago•124 comments

BadHost – CVE-2026-48710: Starlette Host-Header Auth Bypass

https://badhost.org/
29•ylk•22h ago•5 comments

Cate v1.0 is out: The Infinite canvas workspace for developers

https://github.com/0-AI-UG/cate
20•BlueBerry2001•1d ago•9 comments

A few interesting modern pixel fonts

https://unsung.aresluna.org/a-few-interesting-modern-pixel-fonts/
337•zdw•1d ago•69 comments

I built a Git-tracked book production pipeline

https://www.djspeckhals.com/posts/2026-05-22-how-i-bypassed-adobe-and-microsoft-to-build-a-git-tr...
229•dustin1114•4d ago•58 comments

The worst job interview I ever had

https://www.oliverio.dev/blog/the-worst-job-interview-i-had
237•oliverio•11h ago•202 comments

Prompt Politeness Affects LLM Accuracy (2025)

https://arxiv.org/abs/2510.04950
13•KnuthIsGod•1d ago•1 comments

A history of obituaries in American newspapers

https://blogs.loc.gov/headlinesandheroes/2026/05/mourn-not-a-history-of-obituaries-in-american-ne...
19•NaOH•2d ago•0 comments

TSDuck: Open-source toolkit for MPEG-TS analysis and manipulation

https://tsduck.io/
22•phantomathkg•5h ago•1 comments

IBM Confidential: System/360 File Organization [video]

https://www.youtube.com/watch?v=zokKqP0plrM
35•DaiPlusPlus•2d ago•9 comments

Show HN: Posthorn, self-hosted mail without the mail server

https://github.com/craigmccaskill/posthorn
12•craigmccaskill•3h ago•8 comments

What I've Learned (So Far) Building Online Mini Games with Elixir and Swift

https://calvinflegal.com/2026/05/24/what-ive-learned-so-far-building-online-mini-games-with-elixi...
44•calflegal•2d ago•18 comments

A portentous reunion

https://bcantrill.dtrace.org/2026/05/25/a-portentous-reunion/
95•cafkafk•1d ago•26 comments

Launch HN: Minicor (YC P26) – Windows desktop automations at scale

https://www.minicor.com/
87•fchishtie•17h ago•54 comments

Tunecat: Simple Internet Radio

https://codeberg.org/lindenii/tunecat/
47•croottree•6h ago•3 comments

Rosalind: A genomics toolkit in Rust running whole-genome pipelines on a laptop

https://github.com/logannye/rosalind
153•samuell•5d ago•38 comments

Spain blocks prediction markets Polymarket, Kalshi over lack of gambling licence

https://www.reuters.com/business/spain-blocks-prediction-markets-polymarket-kalshi-over-lack-gamb...
894•thm•18h ago•412 comments

C array types are weird

https://anselmschueler.com/blogposts/2025-c-pointers/
80•signa11•2d ago•75 comments

The Forgotten Art of the LAN Party (2023)

https://www.superjumpmagazine.com/the-forgotten-art-of-the-lan-party/
119•susam•3d ago•43 comments

Dropbox CEO Drew Houston to step down

https://www.cnbc.com/2026/05/26/dropbox-ceo-drew-houston-ashraf-alkarmi.html
340•aghuang•18h ago•360 comments

The Steinwinter Supercargo

https://www.thedrive.com/article/12603/the-forgotten-steinwinter-supercargo-is-unlike-anything-on...
65•itronitron•3d ago•17 comments

Erin Brockovich made a map to track data centers around the country

https://www.niemanlab.org/2026/05/erin-brockovich-made-a-map-to-track-data-centers-around-the-cou...
215•cratermoon•7h ago•198 comments

Stripe is friendly to “friendly fraud”

https://www.gingerlime.com/2026/stripe-seem-friendly-to-friendly-fraud/
262•gingerlime•7h ago•164 comments

Splinter Cell veteran says realistic modern lighting has screwed up stealth game

https://www.rockpapershotgun.com/splinter-cell-veteran-says-realistic-modern-lighting-has-screwed...
61•Tomte•2d ago•40 comments

Sonny Rollins, jazz saxophonist, has died

https://www.rollingstone.com/music/music-news/sonny-rollins-jazz-legend-saxophone-colossus-dead-o...
106•boarsofcanada•7h ago•14 comments

What color is your function? (2015)

https://journal.stuffwithstuff.com/2015/02/01/what-color-is-your-function/
118•tosh•16h ago•150 comments