Arch Linux Security Advisory ASA-202107-6 ========================================= Severity: Medium Date : 2021-07-01 CVE-ID : CVE-2021-32677 Package : python-fastapi Type : cross-site request forgery Remote : Yes Link : https://security.archlinux.org/AVG-2060 Summary ======= The package python-fastapi before version 0.65.2-1 is vulnerable to cross-site request forgery. Resolution ========== Upgrade to 0.65.2-1. # pacman -Syu "python-fastapi>=0.65.2-1" The problem has been fixed upstream in version 0.65.2. Workaround ========== To mitigate the issue, it would be possible to add a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type. Description =========== FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). So, a request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. But requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. So, the browser would execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. Impact ====== A remote attacker could perform cross-origin request forgery (CSRF) attacks on FastAPI applications accepting JSON payloads. References ========== https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7 https://github.com/tiangolo/fastapi/pull/2118 https://github.com/tiangolo/fastapi/commit/fa7e3c996edf2d5482fff8f9d890ac2390dede4d https://security.archlinux.org/CVE-2021-32677