Starlette request.form() ignores max_fields and max_part_size for urlencoded data

The request.form() method silently ignores max_fields and max_part_size limits for application/x-www-form-urlencoded requests, while correctly enforcing them for multipart/form-data. This allows an attacker to send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, causing denial of service via CPU blocking or memory exhaustion.

All applications built with Starlette (or FastAPI) that call request.form() on application/x-www-form-urlencoded requests.

Upgrade to a patched version of Starlette that forwards max_fields and max_part_size to the url-encoded parser and enforces them while parsing.