7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.7 Medium
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
46.6%
fastapi is vulnerable to Regular Expression Denial Of Service (ReDoS). The vulnerability is due to the python-multipart
dependency which utilized a Regex expression with inefficient complexity. An attacker can inject a malicious Content-Type
header, which causes the application to hang while it processes the crafted header.
github.com/advisories/GHSA-qf9m-vfgh-m389
github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74
github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5
github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238
github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4
github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p
github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
github.com/tiangolo/fastapi/releases/tag/0.109.1
github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.7 Medium
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
46.6%