The Fix
Upgrade to version 0.13.1 or later.
Based on closed Kludex/uvicorn issue #858 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -460,7 +460,6 @@ async def send(self, message):
self.scope["http_version"],
status_code,
- extra={"status_code": status_code, "scope": self.scope},
)
repro.py
from starlette.requests import Request
from starlette.responses import Response
import uvicorn
async def app(scope, receive, send):
request = Request(scope, receive)
mycookie = request.cookies.get("mycookie")
if mycookie:
response = Response(mycookie, media_type="text/plain")
else:
response = Response("Hello, world!", media_type="text/plain")
response.set_cookie("mycookie", "Hello, cookies!")
await response(scope, receive, send)
if __name__ == '__main__':
uvicorn.run("cookieapp:app", log_level="debug", log_config="logging.yaml")
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.13.1 or later.\nWhen NOT to use: This fix should not be applied if logging sensitive information is intended.\n\n
Why This Fix Works in Production
- Trigger: prompted by @alicederyn in [gitter](https://gitter.im/encode/community?at=5fb6492d2a60f731f764a554) you can leak headers from the scope in the access logs…
- Mechanism: Sensitive headers were being leaked in access logs due to scope being included in JSON formatted logs
- Why the fix works: Removes the scope from access logs when using a JSON logging formatter to prevent sensitive header leakage. (first fixed release: 0.13.1).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Sensitive headers were being leaked in access logs due to scope being included in JSON formatted logs
- Production symptom (often without a traceback): prompted by @alicederyn in [gitter](https://gitter.im/encode/community?at=5fb6492d2a60f731f764a554) you can leak headers from the scope in the access logs given that you use json formatting for your logging.
Proof / Evidence
- GitHub issue: #858
- Fix PR: https://github.com/kludex/uvicorn/pull/859
- First fixed release: 0.13.1
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.75
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.53
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Hallo uvicorn, https://github.com/encode/uvicorn/pull/859#issuecomment-741698100 Very funny, please let me/us know how can I/we scream so I/we'd get a flag. BTW this no longer works because of…”
“My log filtering no longer works, and I suppose this change is the culprit?”
“Perhaps add an extension to register a callback function that defaults to the current log call? That way users can log whatever they want.”
Failure Signature (Search String)
- prompted by @alicederyn in [gitter](https://gitter.im/encode/community?at=5fb6492d2a60f731f764a554) you can leak headers from the scope in the access logs given that you use json
- <!-- Any tracebacks, screenshots, etc. that can help understanding the problem.
Copy-friendly signature
signature.txt
Failure Signature
-----------------
prompted by @alicederyn in [gitter](https://gitter.im/encode/community?at=5fb6492d2a60f731f764a554) you can leak headers from the scope in the access logs given that you use json formatting for your logging.
<!-- Any tracebacks, screenshots, etc. that can help understanding the problem.
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
prompted by @alicederyn in [gitter](https://gitter.im/encode/community?at=5fb6492d2a60f731f764a554) you can leak headers from the scope in the access logs given that you use json formatting for your logging.
<!-- Any tracebacks, screenshots, etc. that can help understanding the problem.
Minimal Reproduction
repro.py
from starlette.requests import Request
from starlette.responses import Response
import uvicorn
async def app(scope, receive, send):
request = Request(scope, receive)
mycookie = request.cookies.get("mycookie")
if mycookie:
response = Response(mycookie, media_type="text/plain")
else:
response = Response("Hello, world!", media_type="text/plain")
response.set_cookie("mycookie", "Hello, cookies!")
await response(scope, receive, send)
if __name__ == '__main__':
uvicorn.run("cookieapp:app", log_level="debug", log_config="logging.yaml")
What Broke
Access logs exposed sensitive header information, leading to potential data leaks.
Why It Broke
Sensitive headers were being leaked in access logs due to scope being included in JSON formatted logs
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
Upgrade to version 0.13.1 or later.
When NOT to use: This fix should not be applied if logging sensitive information is intended.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/kludex/uvicorn/pull/859
First fixed release: 0.13.1
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be applied if logging sensitive information is intended.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
- Pin production dependencies and upgrade only with a reproducible test that hits the failing path.
Version Compatibility Table
| Version | Status |
|---|---|
| 0.13.1 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.