Improper Restriction of Communication Channel to Intended Endpoints Affecting fastcrud package, versions [,0.19.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-FASTCRUD-14172730
- published4 Dec 2025
- disclosed2 Dec 2025
- creditUnknown
Introduced: 2 Dec 2025
New CVE NOT AVAILABLE CWE-923 (opens in a new tab)How to fix?
Upgrade fastcrud to version 0.19.0 or higher.
Overview
fastcrud is a FastCRUD is a Python package for FastAPI, offering robust async CRUD operations and flexible endpoint creation utilities.
Affected versions of this package are vulnerable to Improper Restriction of Communication Channel to Intended Endpoints due to improper handling of the exclude_fields parameter in the _create_modified_schema function. The function fails to enforce immutability on the field-exclusion list, allowing callers or dependent code to mutate shared state and reintroduce sensitive fields such as passwords or API keys into generated schemas. An attacker can exploit this through cache poisoning or list-manipulation attacks to expose sensitive data that should have been excluded from API responses.