[ASA-202107-6] python-fastapi: cross-site request forgery
Jonas Witschel
diabonas at archlinux.org
Sat Jul 3 16:25:06 UTC 2021
Arch Linux Security Advisory ASA-202107-6
=========================================
Severity: Medium
Date : 2021-07-01
CVE-ID : CVE-2021-32677
Package : python-fastapi
Type : cross-site request forgery
Remote : Yes
Link : https://security.archlinux.org/AVG-2060
Summary
=======
The package python-fastapi before version 0.65.2-1 is vulnerable to
cross-site request forgery.
Resolution
==========
Upgrade to 0.65.2-1.
# pacman -Syu "python-fastapi>=0.65.2-1"
The problem has been fixed upstream in version 0.65.2.
Workaround
==========
To mitigate the issue, it would be possible to add a middleware or a
dependency that checks the content-type header and aborts the request
if it is not application/json or another JSON compatible content type.
Description
===========
FastAPI versions lower than 0.65.2 that used cookies for authentication
in path operations that received JSON payloads sent by browsers were
vulnerable to a Cross-Site Request Forgery (CSRF) attack.
In versions lower than 0.65.2, FastAPI would try to read the request
payload as JSON even if the content-type header sent was not set to
application/json or a compatible JSON media type (e.g.
application/geo+json).
So, a request with a content type of text/plain containing JSON data
would be accepted and the JSON data would be extracted.
But requests with content type text/plain are exempt from CORS
preflights, for being considered Simple requests. So, the browser would
execute them right away including cookies, and the text content could
be a JSON string that would be parsed and accepted by the FastAPI
application.
Impact
======
A remote attacker could perform cross-origin request forgery (CSRF)
attacks on FastAPI applications accepting JSON payloads.
References
==========
https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7
https://github.com/tiangolo/fastapi/pull/2118
https://github.com/tiangolo/fastapi/commit/fa7e3c996edf2d5482fff8f9d890ac2390dede4d
https://security.archlinux.org/CVE-2021-32677
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210703/24a4d07c/attachment-0001.sig>
More information about the arch-security
mailing list