[ASA-202107-6] python-fastapi: cross-site request forgery

Jonas Witschel diabonas at archlinux.org
Sat Jul 3 16:25:06 UTC 2021

Arch Linux Security Advisory ASA-202107-6

Severity: Medium
Date    : 2021-07-01
CVE-ID  : CVE-2021-32677
Package : python-fastapi
Type    : cross-site request forgery
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2060


The package python-fastapi before version 0.65.2-1 is vulnerable to
cross-site request forgery.


Upgrade to 0.65.2-1.

# pacman -Syu "python-fastapi>=0.65.2-1"

The problem has been fixed upstream in version 0.65.2.


To mitigate the issue, it would be possible to add a middleware or a
dependency that checks the content-type header and aborts the request
if it is not application/json or another JSON compatible content type.


FastAPI versions lower than 0.65.2 that used cookies for authentication
in path operations that received JSON payloads sent by browsers were
vulnerable to a Cross-Site Request Forgery (CSRF) attack.

In versions lower than 0.65.2, FastAPI would try to read the request
payload as JSON even if the content-type header sent was not set to
application/json or a compatible JSON media type (e.g.

So, a request with a content type of text/plain containing JSON data
would be accepted and the JSON data would be extracted.

But requests with content type text/plain are exempt from CORS
preflights, for being considered Simple requests. So, the browser would
execute them right away including cookies, and the text content could
be a JSON string that would be parsed and accepted by the FastAPI


A remote attacker could perform cross-origin request forgery (CSRF)
attacks on FastAPI applications accepting JSON payloads.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210703/24a4d07c/attachment-0001.sig>

More information about the arch-security mailing list