webargs is vulnerable to cross-site request forgery (CSRF). The Content-Type
header resolves to application/json
when JSON input is received. If the request body is valid JSON, the application accepts it even if the content type is application/x-www-form-urlencoded
. This allows for JSON POST requests to be made across domains, allowing successful cross-site request forgery attacks to be performed.