High

fastapi

ReDoS Vulnerability in Form Data Parsing

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in FastAPI version 0.109.0, specifically when parsing Form data. The issue, which causes the server to lock up and a CPU core to reach 100% usage, was patched in version 0.109.1.

Available publicly on Mar 15 2024

7.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit:

byt3bl33d3r
Remediation Steps
  • Upgrade FastAPI to version 0.109.1 or later.
  • As a temporary measure, implement request validation to reject requests with suspicious Content-Type headers.
  • Consider using a WAF (Web Application Firewall) to detect and block malicious requests before they reach the application server.
  • Monitor server resource usage to detect potential DoS attacks early.
Patch Details
  • Fixed Version: 0.109.1
  • Patch Commit: https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.