Primary

Context

FastAPI Guard HTTP Header Injection Vulnerability

Vulnerability

Patched

A vulnerability allowing HTTP header injection has been identified in FastAPI Guard versions prior to 2.0.0. This issue arises from the library's handling of the X-Forwarded-For header, which can be manipulated to inject arbitrary IP addresses. Such exploitation could bypass IP-based access controls, mislead logging systems, and allow impersonation of trusted clients, particularly in applications that rely on this header for authorization or authentication.

Impact

Exploitation of this vulnerability can lead to bypassing IP-based access controls, misleading logging systems, and impersonating trusted clients.

Reproduction

To reproduce this vulnerability, upload FastAPI Guard version 1.5.0 or earlier. Run the FastAPI application and send a request with a manipulated X-Forwarded-For header. The server will respond with the injected IP address, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to upgrade to FastAPI Guard version 2.0.0, which addresses this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

5.0

exploitability

9.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

5.0

exploitability

9.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FastAPI Guard HTTP Header Injection Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

FastAPI

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating