pysec-2021-100
Vulnerability from pysec
Published
2021-06-09 18:15
Modified
2021-06-22 04:54
Details

FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround.

Impacted products
Name purl
fastapi pkg:pypi/fastapi
Aliases


To clipboard 

{
   affected: [
      {
         package: {
            ecosystem: "PyPI",
            name: "fastapi",
            purl: "pkg:pypi/fastapi",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "0",
                  },
                  {
                     fixed: "fa7e3c996edf2d5482fff8f9d890ac2390dede4d",
                  },
               ],
               repo: "https://github.com/tiangolo/fastapi",
               type: "GIT",
            },
            {
               events: [
                  {
                     introduced: "0",
                  },
                  {
                     fixed: "0.65.2",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
         versions: [
            "0.1.0",
            "0.1.10",
            "0.1.11",
            "0.1.12",
            "0.1.13",
            "0.1.14",
            "0.1.15",
            "0.1.16",
            "0.1.17",
            "0.1.18",
            "0.1.19",
            "0.1.2",
            "0.1.3",
            "0.1.4",
            "0.1.5",
            "0.1.6",
            "0.1.7",
            "0.1.8",
            "0.1.9",
            "0.10.0",
            "0.10.1",
            "0.10.2",
            "0.11.0",
            "0.12.0",
            "0.12.1",
            "0.13.0",
            "0.14.0",
            "0.15.0",
            "0.16.0",
            "0.17.0",
            "0.18.0",
            "0.19.0",
            "0.2.0",
            "0.2.1",
            "0.20.0",
            "0.20.1",
            "0.21.0",
            "0.22.0",
            "0.23.0",
            "0.24.0",
            "0.25.0",
            "0.26.0",
            "0.27.0",
            "0.27.1",
            "0.27.2",
            "0.28.0",
            "0.29.0",
            "0.29.1",
            "0.3.0",
            "0.30.0",
            "0.30.1",
            "0.31.0",
            "0.32.0",
            "0.33.0",
            "0.34.0",
            "0.35.0",
            "0.36.0",
            "0.37.0",
            "0.38.0",
            "0.38.1",
            "0.39.0",
            "0.4.0",
            "0.40.0",
            "0.41.0",
            "0.42.0",
            "0.43.0",
            "0.44.0",
            "0.44.1",
            "0.45.0",
            "0.46.0",
            "0.47.0",
            "0.47.1",
            "0.48.0",
            "0.49.0",
            "0.49.1",
            "0.49.2",
            "0.5.0",
            "0.5.1",
            "0.50.0",
            "0.51.0",
            "0.52.0",
            "0.53.0",
            "0.53.1",
            "0.53.2",
            "0.54.0",
            "0.54.1",
            "0.54.2",
            "0.55.0",
            "0.55.1",
            "0.56.0",
            "0.56.1",
            "0.57.0",
            "0.58.0",
            "0.58.1",
            "0.59.0",
            "0.6.0",
            "0.6.1",
            "0.6.2",
            "0.6.3",
            "0.6.4",
            "0.60.0",
            "0.60.1",
            "0.60.2",
            "0.61.0",
            "0.61.1",
            "0.61.2",
            "0.62.0",
            "0.63.0",
            "0.64.0",
            "0.65.0",
            "0.65.1",
            "0.7.0",
            "0.7.1",
            "0.8.0",
            "0.9.0",
            "0.9.1",
         ],
      },
   ],
   aliases: [
      "CVE-2021-32677",
      "GHSA-8h2j-cgx8-6xv7",
   ],
   details: "FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround.",
   id: "PYSEC-2021-100",
   modified: "2021-06-22T04:54:55.863034Z",
   published: "2021-06-09T18:15:00Z",
   references: [
      {
         type: "FIX",
         url: "https://github.com/tiangolo/fastapi/commit/fa7e3c996edf2d5482fff8f9d890ac2390dede4d",
      },
      {
         type: "ADVISORY",
         url: "https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7",
      },
      {
         type: "WEB",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MATAWX25TYKNEKLDMKWNLYDB34UWTROA/",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.