ReDoS Vulnerability in Form Data Parsing
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in FastAPI version 0.109.0, specifically when parsing Form data. The issue, which causes the server to lock up and a CPU core to reach 100% usage, was patched in version 0.109.1.
Available publicly on Mar 15 2024 | Available with Premium on Mar 14 2024
Remediation Steps
- Upgrade FastAPI to version 0.109.1 or later.
- As a temporary measure, implement request validation to reject requests with suspicious
Content-Typeheaders. - Consider using a WAF (Web Application Firewall) to detect and block malicious requests before they reach the application server.
- Monitor server resource usage to detect potential DoS attacks early.
Patch Details
- Fixed Version: 0.109.1
- Patch Commit: https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have 619 related security advisories that are available with Sightline Premium.