I agree it’s fairly bad on its own but it’s substantially mitigated if you aren’t exposing Starlette/FastAPI directly to the internet – if you use a CDN, load-balancer / API Gateway, or a fronting web server it’s likely that your service is protected since the attacks depend on characters which are not valid in DNS (and in the first couple of cases, likely need to match to route traffic to the right customer).

As an example, I just confirmed that both Cloudflare and AWS ALBs reject all of the attack patterns. Still not good, lateral movement is a time-honored tactic, etc. but it buys time to patch.

Also requires that you build specific kind of logic in your access control. So it really depends on implementation. Some codebases are vulnerable where as others are not.

I don't know if many people run FastAPI directly without any reverse proxy, load balancer etc. in front of their services.

Probably this is why it is marked as medium.