fastapi-users 9.3.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the fastapi-users package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Request Forgery (CSRF) fastapi-users is a Ready-to-use and customizable users management for FastAPI Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the `generate_state_token` function, which is called with an empty `state_data` dict, so the resulting JWT contains only the fixed audience claim and an expiration timestamp. An attacker can gain unauthorized access to user accounts or cause a user to be logged into the attacker's account by capturing a server-generated state token during the OAuth flow and tricking a victim into completing the authentication callback with attacker-controlled parameters. How to fix Cross-site Request Forgery (CSRF)? Upgrade `fastapi-users` to version 15.0.2 or higher.	[,15.0.2)
M Observable Response Discrepancy fastapi-users is a Ready-to-use and customizable users management for FastAPI Affected versions of this package are vulnerable to Observable Response Discrepancy. Exploiting this vulnerability is possible by sending web requests enumerating over values for an HTTP header in an attempt to find `Redis` keys. How to fix Observable Response Discrepancy? Upgrade `fastapi-users` to version 10.1.3 or higher.	[,10.1.3)
H Authentication Bypass fastapi-users is a Ready-to-use and customizable users management for FastAPI Affected versions of this package are vulnerable to Authentication Bypass in the account e-mail association when authenticating with `OAuth`. How to fix Authentication Bypass? Upgrade `fastapi-users` to version 10.1.0 or higher.	[,10.1.0)

Vulnerability

Vulnerable Version

Cross-site Request Forgery (CSRF)

fastapi-users is a Ready-to-use and customizable users management for FastAPI

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the generate_state_token function, which is called with an empty state_data dict, so the resulting JWT contains only the fixed audience claim and an expiration timestamp. An attacker can gain unauthorized access to user accounts or cause a user to be logged into the attacker's account by capturing a server-generated state token during the OAuth flow and tricking a victim into completing the authentication callback with attacker-controlled parameters.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade fastapi-users to version 15.0.2 or higher.

[,15.0.2)

Observable Response Discrepancy

fastapi-users is a Ready-to-use and customizable users management for FastAPI

Affected versions of this package are vulnerable to Observable Response Discrepancy. Exploiting this vulnerability is possible by sending web requests enumerating over values for an HTTP header in an attempt to find Redis keys.

How to fix Observable Response Discrepancy?

Upgrade fastapi-users to version 10.1.3 or higher.

[,10.1.3)

Authentication Bypass

fastapi-users is a Ready-to-use and customizable users management for FastAPI

Affected versions of this package are vulnerable to Authentication Bypass in the account e-mail association when authenticating with OAuth.

How to fix Authentication Bypass?

Upgrade fastapi-users to version 10.1.0 or higher.

[,10.1.0)

fastapi-users@9.3.0 vulnerabilities

Ready-to-use and customizable users management for FastAPI

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically