Inefficient regular expression complexity in FastAPI

#VU86533 Inefficient regular expression complexity in FastAPI

Published: 2024-02-15

Vulnerability identifier: #VU86533

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-24762

CWE-ID: CWE-1333

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FastAPI
Web applications / CMS

Vendor: FastAPI Project

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing value of the "Content-Type" HTTP header with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

FastAPI: 0.1.11 - 0.109.0

External links
http://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
http://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
http://github.com/tiangolo/fastapi/releases/tag/0.109.1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Inefficient regular expression complexity in IBM Business Automation Workflow

Multiple vulnerabilities in IBM App Connect Enterprise Certified Container

Multiple vulnerabilities in IBM QRadar Suite Software

Fedora 40 update for python-fastapi

Remote denial of service in FastAPI