[ASA-202107-6] python-fastapi: cross-site request forgery
diabonas at archlinux.org
Sat Jul 3 16:25:06 UTC 2021
Arch Linux Security Advisory ASA-202107-6
Date : 2021-07-01
CVE-ID : CVE-2021-32677
Package : python-fastapi
Type : cross-site request forgery
Remote : Yes
Link : https://security.archlinux.org/AVG-2060
The package python-fastapi before version 0.65.2-1 is vulnerable to
cross-site request forgery.
Upgrade to 0.65.2-1.
# pacman -Syu "python-fastapi>=0.65.2-1"
The problem has been fixed upstream in version 0.65.2.
To mitigate the issue, it would be possible to add a middleware or a
dependency that checks the content-type header and aborts the request
if it is not application/json or another JSON compatible content type.
FastAPI versions lower than 0.65.2 that used cookies for authentication
in path operations that received JSON payloads sent by browsers were
vulnerable to a Cross-Site Request Forgery (CSRF) attack.
In versions lower than 0.65.2, FastAPI would try to read the request
payload as JSON even if the content-type header sent was not set to
application/json or a compatible JSON media type (e.g.
So, a request with a content type of text/plain containing JSON data
would be accepted and the JSON data would be extracted.
But requests with content type text/plain are exempt from CORS
preflights, for being considered Simple requests. So, the browser would
execute them right away including cookies, and the text content could
be a JSON string that would be parsed and accepted by the FastAPI
A remote attacker could perform cross-origin request forgery (CSRF)
attacks on FastAPI applications accepting JSON payloads.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security