webargs@1.9.0 vulnerabilities

Declarative parsing and validation of HTTP request objects, with built-in support for popular web frameworks, including Flask, Django, Bottle, Tornado, Pyramid, Falcon, and aiohttp.

latest version

8.4.0
latest non vulnerable version

8.4.0
first published

10 years ago
latest version published

4 months ago
licenses detected
- MIT
  [0,)
View webargs package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the webargs package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Cross-Site Request Forgery (CSRF) webargs is a python library for parsing and validating HTTP request objects, with built-in support for popular web frameworks, including Flask, Django, Bottle, Tornado, Pyramid, webapp2, Falcon, and aiohttp. Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF). `Flaskparser.py` does not check that the `Content-Type` header is `application/json` when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is `application/x-www-form-urlencoded`. This allows for JSON POST requests to be made across domains, leading to CSRF. How to fix Cross-Site Request Forgery (CSRF)? Upgrade `webargs` to version 6.0.0b4, 5.5.3 or higher.	[6.0.0b1,6.0.0b4) [,5.5.3)
M Race Condition webargs is a python library for parsing and validating HTTP request objects, with built-in support for popular web frameworks, including Flask, Django, Bottle, Tornado, Pyramid, webapp2, Falcon, and aiohttp. Affected versions of this package are vulnerable to Race Condition. Json parsing uses a short-lived cache to store the parsed Json body. This cache is not thread-safe, meaning that incorrect Json payloads could have been parsed for concurrent requests. How to fix Race Condition? Upgrade `webargs` to version 5.1.3 or higher.	[,5.1.3)

Cross-Site Request Forgery (CSRF)

webargs is a python library for parsing and validating HTTP request objects, with built-in support for popular web frameworks, including Flask, Django, Bottle, Tornado, Pyramid, webapp2, Falcon, and aiohttp.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF). Flaskparser.py does not check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.

How to fix Cross-Site Request Forgery (CSRF)?

Upgrade webargs to version 6.0.0b4, 5.5.3 or higher.

[6.0.0b1,6.0.0b4) [,5.5.3)

Race Condition

Affected versions of this package are vulnerable to Race Condition. Json parsing uses a short-lived cache to store the parsed Json body. This cache is not thread-safe, meaning that incorrect Json payloads could have been parsed for concurrent requests.

How to fix Race Condition?

Upgrade webargs to version 5.1.3 or higher.

[,5.1.3)

Go back to all versions of this package

webargs@1.9.0 vulnerabilities

Declarative parsing and validation of HTTP request objects, with built-in support for popular web frameworks, including Flask, Django, Bottle, Tornado, Pyramid, Falcon, and aiohttp.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities