Jump to solution
Verify

starlette Middleware Request parse Hangs forever (Fix)

Fixed
Spec
Package
starlette
Fixed In
0.28.0
Dependency
httpx v1.0
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.61
#847 ai caching Idempotency Violation Updated: 2026-02-13
Issue #847

The Fix

Upgrade to version 0.28.0 or later.

Based on closed Kludex/starlette issue #847 · PR/commit linked

Jump to Verify Open PR/Commit
@@ -3,7 +3,7 @@ from starlette.background import BackgroundTask -from starlette.requests import Request +from starlette.requests import ClientDisconnect, Request from starlette.responses import ContentStream, Response, StreamingResponse
repro.py
app = Starlette() class ParseRequestMiddleware(BaseHTTPMiddleware): async def dispatch(self, request: Request, call_next: RequestResponseEndpoint): # payload = await request.json() # This will cause test() to hang response = await call_next(request) payload = await request.json() # Hangs forever return response async def test(scope: Scope, receive: Receive, send: Send): request = Request(scope=scope, receive=receive) data = await request.json() response = Response(status_code=405) await response(scope, receive, send) app.mount("/test", test) app.add_middleware(ParseRequestMiddleware)
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.28.0 or later.\nWhen NOT to use: This fix is not suitable if the application requires distinct Request objects for each middleware.\n\nOption C — Workaround\nfor me right now but the more apps I add (especially third party ones) the more of a problem this will become.\nWhen NOT to use: This fix is not suitable if the application requires distinct Request objects for each middleware.\n\n

Why This Fix Works in Production

  • Trigger: Middleware Request parse Hangs forever
  • Mechanism: The middleware and ASGI app use different Request objects, exhausting the stream on the first read
  • Why the fix works: Reuses the request's body buffer for call_next in BaseHTTPMiddleware, preventing the request from hanging forever when the body is read multiple times. (first fixed release: 0.28.0).
Production impact:
  • If left unfixed, this can cause silent data inconsistencies that propagate (bad cache entries, incorrect downstream decisions).

Why This Breaks in Prod

  • Dependency interaction matters here: httpx v1.0.
  • The middleware and ASGI app use different Request objects, exhausting the stream on the first read
  • Surfaces as: Middleware Request parse Hangs forever

Proof / Evidence

  • GitHub issue: #847
  • Fix PR: https://github.com/kludex/starlette/pull/1692
  • First fixed release: 0.28.0
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.75
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.61

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“Awesome, thanks Tom! I'm willing to help wherever I can. If you think my approach in #944 isn't the way to go I am willing…”
@nikordaris · 2020-05-13 · confirmation · source
“We use starlette in combination with fastapi”
@lwinkler-cloudflight · 2021-03-02 · confirmation · source
“This is my work around right now”
@nikordaris · 2020-06-19 · source
“Ok I think I found a solution here. See PR #848”
@nikordaris · 2020-02-27 · source

Failure Signature (Search String)

  • Middleware Request parse Hangs forever

Error Message

Stack trace
error.txt
Error Message ------------- Middleware Request parse Hangs forever

Minimal Reproduction

repro.py
app = Starlette() class ParseRequestMiddleware(BaseHTTPMiddleware): async def dispatch(self, request: Request, call_next: RequestResponseEndpoint): # payload = await request.json() # This will cause test() to hang response = await call_next(request) payload = await request.json() # Hangs forever return response async def test(scope: Scope, receive: Receive, send: Send): request = Request(scope=scope, receive=receive) data = await request.json() response = Response(status_code=405) await response(scope, receive, send) app.mount("/test", test) app.add_middleware(ParseRequestMiddleware)

Environment

  • httpx: 1.0

What Broke

Request parsing hangs indefinitely when the body is read multiple times.

Why It Broke

The middleware and ASGI app use different Request objects, exhausting the stream on the first read

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

Upgrade to version 0.28.0 or later.

When NOT to use: This fix is not suitable if the application requires distinct Request objects for each middleware.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Option C — Workaround Temporary workaround

for me right now but the more apps I add (especially third party ones) the more of a problem this will become.

When NOT to use: This fix is not suitable if the application requires distinct Request objects for each middleware.

Use only if you cannot change versions today. Treat this as a stopgap and remove once upgraded.

Option D — Guard side-effects with OnceOnly Guardrail for side-effects

Mitigate duplicate external side-effects under retries/timeouts/agent loops by gating the operation before calling external systems.

  • Place OnceOnly between your code/agent and real side-effects (Stripe, emails, CRM, APIs).
  • Use a stable key per side-effect (e.g., customer_id + action + idempotency_key).
  • Fail-safe: configure fail-open vs fail-closed based on blast radius and spend risk.
  • This does NOT fix data corruption; it only prevents duplicate side-effects.
Show example snippet (optional)
onceonly.py
from onceonly import OnceOnly import os once = OnceOnly(api_key=os.environ["ONCEONLY_API_KEY"], fail_open=True) # Stable idempotency key per real side-effect. # Use a request id / job id / webhook delivery id / Stripe event id, etc. event_id = "evt_..." # replace key = f"stripe:webhook:{event_id}" res = once.check_lock(key=key, ttl=3600) if res.duplicate: return {"status": "already_processed"} # Safe to execute the side-effect exactly once. handle_event(event_id)

See OnceOnly SDK

When NOT to use: Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Fix reference: https://github.com/kludex/starlette/pull/1692

First fixed release: 0.28.0

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix is not suitable if the application requires distinct Request objects for each middleware.
  • Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
  • Pin production dependencies and upgrade only with a reproducible test that hits the failing path.

Version Compatibility Table

VersionStatus
0.28.0 Fixed

Related Issues

No related fixes found.

Cluster: starlette:data-consistency All hubs All clusters
Related clusters: Configuration error SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #847. Not affiliated with the library maintainers. Verify before production use.