Arch Linux Security Advisory ASA-202107-6

Severity: Medium
Date : 2021-07-01
CVE-ID : CVE-2021-32677
Package : python-fastapi
Type : cross-site request forgery
Remote : Yes
Link : https://security.archlinux.org/AVG-2060

Summary

The package python-fastapi before version 0.65.2-1 is vulnerable to
cross-site request forgery.

Resolution

Upgrade to 0.65.2-1.

pacman -Syu “python-fastapi>=0.65.2-1”

The problem has been fixed upstream in version 0.65.2.

Workaround

To mitigate the issue, it would be possible to add a middleware or a
dependency that checks the content-type header and aborts the request
if it is not application/json or another JSON compatible content type.

Description

FastAPI versions lower than 0.65.2 that used cookies for authentication
in path operations that received JSON payloads sent by browsers were
vulnerable to a Cross-Site Request Forgery (CSRF) attack.

In versions lower than 0.65.2, FastAPI would try to read the request
payload as JSON even if the content-type header sent was not set to
application/json or a compatible JSON media type (e.g.
application/geo+json).

So, a request with a content type of text/plain containing JSON data
would be accepted and the JSON data would be extracted.

But requests with content type text/plain are exempt from CORS
preflights, for being considered Simple requests. So, the browser would
execute them right away including cookies, and the text content could
be a JSON string that would be parsed and accepted by the FastAPI
application.

Impact

A remote attacker could perform cross-origin request forgery (CSRF)
attacks on FastAPI applications accepting JSON payloads.

References

https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7
https://github.com/tiangolo/fastapi/pull/2118
https://github.com/tiangolo/fastapi/commit/fa7e3c996edf2d5482fff8f9d890ac2390dede4d
https://security.archlinux.org/CVE-2021-32677