logo

Database

Lack of data validation - Path Traversal In fastapi-api-key

Description

FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection

Impact

Timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks.

Affected: all users relying on verify_key() for API key authentication prior to the fix.

Patches

Yes. Users should upgrade to version 1.1.0 (or the version containing this fix). The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation.

Workarounds

    Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied.

    Use rate limiting to reduce the feasibility of statistical timing attacks.

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-239962. NVD-2026-239963. OSV-2026-239964. GHSA-95c6-p277-p87g5. GCVE-2026-23996

References

1. https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g2. https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd83. https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.