pysec-2021-100
Vulnerability from pysec
FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fastapi",
"purl": "pkg:pypi/fastapi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "fa7e3c996edf2d5482fff8f9d890ac2390dede4d"
}
],
"repo": "https://github.com/tiangolo/fastapi",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.65.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.0",
"0.1.10",
"0.1.11",
"0.1.12",
"0.1.13",
"0.1.14",
"0.1.15",
"0.1.16",
"0.1.17",
"0.1.18",
"0.1.19",
"0.1.2",
"0.1.3",
"0.1.4",
"0.1.5",
"0.1.6",
"0.1.7",
"0.1.8",
"0.1.9",
"0.10.0",
"0.10.1",
"0.10.2",
"0.11.0",
"0.12.0",
"0.12.1",
"0.13.0",
"0.14.0",
"0.15.0",
"0.16.0",
"0.17.0",
"0.18.0",
"0.19.0",
"0.2.0",
"0.2.1",
"0.20.0",
"0.20.1",
"0.21.0",
"0.22.0",
"0.23.0",
"0.24.0",
"0.25.0",
"0.26.0",
"0.27.0",
"0.27.1",
"0.27.2",
"0.28.0",
"0.29.0",
"0.29.1",
"0.3.0",
"0.30.0",
"0.30.1",
"0.31.0",
"0.32.0",
"0.33.0",
"0.34.0",
"0.35.0",
"0.36.0",
"0.37.0",
"0.38.0",
"0.38.1",
"0.39.0",
"0.4.0",
"0.40.0",
"0.41.0",
"0.42.0",
"0.43.0",
"0.44.0",
"0.44.1",
"0.45.0",
"0.46.0",
"0.47.0",
"0.47.1",
"0.48.0",
"0.49.0",
"0.49.1",
"0.49.2",
"0.5.0",
"0.5.1",
"0.50.0",
"0.51.0",
"0.52.0",
"0.53.0",
"0.53.1",
"0.53.2",
"0.54.0",
"0.54.1",
"0.54.2",
"0.55.0",
"0.55.1",
"0.56.0",
"0.56.1",
"0.57.0",
"0.58.0",
"0.58.1",
"0.59.0",
"0.6.0",
"0.6.1",
"0.6.2",
"0.6.3",
"0.6.4",
"0.60.0",
"0.60.1",
"0.60.2",
"0.61.0",
"0.61.1",
"0.61.2",
"0.62.0",
"0.63.0",
"0.64.0",
"0.65.0",
"0.65.1",
"0.7.0",
"0.7.1",
"0.8.0",
"0.9.0",
"0.9.1"
]
}
],
"aliases": [
"CVE-2021-32677",
"GHSA-8h2j-cgx8-6xv7"
],
"details": "FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It\u0027s best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround.",
"id": "PYSEC-2021-100",
"modified": "2021-06-22T04:54:55.863034Z",
"published": "2021-06-09T18:15:00Z",
"references": [
{
"type": "FIX",
"url": "https://github.com/tiangolo/fastapi/commit/fa7e3c996edf2d5482fff8f9d890ac2390dede4d"
},
{
"type": "ADVISORY",
"url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MATAWX25TYKNEKLDMKWNLYDB34UWTROA/"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.