Cross-site Request Forgery (CSRF) Affecting fastapi package, versions [,0.65.2)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-FASTAPI-1303092
- published 10 Jun 2021
- disclosed 10 Jun 2021
- credit Unknown
Introduced: 10 Jun 2021
CVE-2021-32677 Open this link in a new tabHow to fix?
Upgrade fastapi
to version 0.65.2 or higher.
Overview
fastapi is a web framework for building APIs with Python 3.6+ based on standard Python type hints.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). FastAPI
would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI
application.