Question 1

Is there a bug in fastapi?

Accepted Answer

Cross-Site Request Forgery (CSRF) in FastAPI ### Impact

FastAPI versions lower than `0.65.2` that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack.

In versions lower than `0.65.2`, FastAPI would try to read the request payload as JSON even if the `content-type` header sent was not set to `application/json` or a compatible JSON media type (e.g. `application/geo+json`).

So, a request with a content type of `text/plain` containing JSON data would be accepted and the JSON data would be extracted.

But requests with content type `text/plain` are exempt from [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) preflights, for being considered [Simple requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests). So, the browser would execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application.

### Patches

This is fixed in FastAPI `0.65.2`.

The request data is now parsed as JSON only if the `content-type` header is `application/json` or another JSON compatible media type like `application/geo+json`.

### Workarounds

It's best to upgrade to the latest FastAPI.

But still, it would be possible to add a middleware or a dependency that checks the `content-type` header and aborts the request if it is not `application/json` or another JSON compatible content type.

### References

* [CORS on Mozilla web docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
* [This answer on StackExchange](https://security.stackexchange.com/questions/157528/ways-to-bypass-browsers-cors-policy/157531#157531)
* [OWASP CSRF](https://owasp.org/www-community/attacks/csrf)
* Fixed in PR [#2118](https://github.com/tiangolo/fastapi/pull/2118)

### For more information

If you have any questions or comments, write to [security@tiangolo.com](mailto:security@tiangolo.com) Fixed in fastapi 0.65.2.

Question 2

Is there a bug in fastapi?

Accepted Answer

PYSEC-2024-38: advisory FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.1. Fixed in fastapi 9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc.

Question 3

Is there a bug in fastapi?

Accepted Answer

PYSEC-2021-100: advisory FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround. Fixed in fastapi fa7e3c996edf2d5482fff8f9d890ac2390dede4d.

Question 4

Is there a bug in fastapi 0.110.0?

Accepted Answer

Request body with empty dict {} rejected when default is Pydantic model Endpoints with a Pydantic body model rejected empty JSON body `{}` with 422 even when all fields had defaults. Fixed in 0.110.1. Fixed in fastapi 0.110.1.

Severity	Affected	Fixed in	Title	Status	Source
high	any	0.65.2	Cross-Site Request Forgery (CSRF) in FastAPI ### Impact FastAPI versions lower than `0.65.2` that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than `0.65.2`, FastAPI would try to read the request payload as JSON even if the `content-type` header sent was not set to `application/json` or a compatible JSON media type (e.g. `application/geo+json`). So, a request with a content type of `text/plain` containing JSON data would be accepted and the JSON data would be extracted. But requests with content type `text/plain` are exempt from [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) preflights, for being considered [Simple requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests). So, the browser would execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. ### Patches This is fixed in FastAPI `0.65.2`. The request data is now parsed as JSON only if the `content-type` header is `application/json` or another JSON compatible media type like `application/geo+json`. ### Workarounds It's best to upgrade to the latest FastAPI. But still, it would be possible to add a middleware or a dependency that checks the `content-type` header and aborts the request if it is not `application/json` or another JSON compatible content type. ### References * [CORS on Mozilla web docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) * [This answer on StackExchange](https://security.stackexchange.com/questions/157528/ways-to-bypass-browsers-cors-policy/157531#157531) * [OWASP CSRF](https://owasp.org/www-community/attacks/csrf) * Fixed in PR [#2118](https://github.com/tiangolo/fastapi/pull/2118) ### For more information If you have any questions or comments, write to [[email protected]](mailto:[email protected])	fixed	osv:GHSA-8h2j-cgx8-6xv7
medium	any	9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc	PYSEC-2024-38: advisory FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.1.	fixed	osv:PYSEC-2024-38
medium	any	fa7e3c996edf2d5482fff8f9d890ac2390dede4d	PYSEC-2021-100: advisory FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround.	fixed	osv:PYSEC-2021-100
medium	0.110.0	0.110.1	Request body with empty dict {} rejected when default is Pydantic model Endpoints with a Pydantic body model rejected empty JSON body `{}` with 422 even when all fields had defaults. Fixed in 0.110.1.	closed	github:#11143

fastapi known bugs