FastAPI Guard Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in FastAPI Guard versions through 3.0.0. The issue arises in the library's middleware that detects penetration attempts by scanning incoming requests with regular expressions. Some of these regex patterns are highly inefficient, leading to polynomial complexity backtracks when processing specially crafted inputs. This vulnerability can be exploited by sending a single request containing a payload that causes high CPU usage, potentially making the service unresponsive for hours.

Impact

Exploitation of this vulnerability can cause significant degradation in performance, leading to prolonged unresponsiveness of the affected service.

Reproduction

The vulnerability can be reproduced by sending a POST request to a FastAPI application using the FastAPI Guard middleware (with the default penetration detection enabled) version prior to 3.0.1. The request should include a payload designed to trigger the inefficient regex patterns used in the penetration detection, such as one that exploits the regex for detecting XSS by causing a polynomial time complexity backtrack. This can be done by, for example, crafting a payload that includes a large number of script tags or JavaScript URLs, which the regex patterns are designed to detect.

Remediation

Users can upgrade to FastAPI Guard version 3.0.1 or later, where this vulnerability has been fixed.