High

fastapi

ReDoS Vulnerability in Form Data Parsing

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in FastAPI version 0.109.0, specifically when parsing Form data. The issue, which causes the server to lock up and a CPU core to reach 100% usage, was patched in version 0.109.1.

Available publicly on Mar 15 2024

7.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit:

byt3bl33d3r
Threat Overview

The vulnerability arises from the way FastAPI handles the parsing of Form data when a specially crafted Content-Type header is sent in a POST request. This header triggers a ReDoS condition, leading to uncontrolled resource consumption. The issue is specific to FastAPI's handling of Form data and does not affect JSON parsing endpoints. An attacker exploiting this vulnerability can cause a Denial of Service (DoS) by sending multiple malicious requests, effectively rendering the FastAPI server unresponsive.

Attack Scenario

An attacker crafts a malicious POST request with a Content-Type header designed to exploit the ReDoS vulnerability in FastAPI's Form data parsing. By sending this request to an endpoint that processes Form data, the attacker can cause the server to consume excessive resources, leading to a DoS condition. If the server is configured with multiple workers, sending a number of malicious requests equal to the number of workers plus one can completely incapacitate the FastAPI server.

Who is affected

Any application using FastAPI version 0.109.0 for processing Form data is vulnerable to this ReDoS attack. Applications that only process JSON data are not affected by this vulnerability.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.