ReDoS Vulnerability in Form Data Parsing
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in FastAPI version 0.109.0, specifically when parsing Form data. The issue, which causes the server to lock up and a CPU core to reach 100% usage, was patched in version 0.109.1.
Available publicly on Mar 15 2024 | Available with Premium on Mar 14 2024
Threat Overview
The vulnerability arises from the way FastAPI handles the parsing of Form data when a specially crafted Content-Type
header is sent in a POST request. This header triggers a ReDoS condition, leading to uncontrolled resource consumption. The issue is specific to FastAPI's handling of Form data and does not affect JSON parsing endpoints. An attacker exploiting this vulnerability can cause a Denial of Service (DoS) by sending multiple malicious requests, effectively rendering the FastAPI server unresponsive.
Attack Scenario
An attacker crafts a malicious POST request with a Content-Type
header designed to exploit the ReDoS vulnerability in FastAPI's Form data parsing. By sending this request to an endpoint that processes Form data, the attacker can cause the server to consume excessive resources, leading to a DoS condition. If the server is configured with multiple workers, sending a number of malicious requests equal to the number of workers plus one can completely incapacitate the FastAPI server.
Who is affected
Any application using FastAPI version 0.109.0 for processing Form data is vulnerable to this ReDoS attack. Applications that only process JSON data are not affected by this vulnerability.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.