FastAPI Api Key Timing Side-Channel Vulnerability in Key Verification Method

A timing side-channel vulnerability has been identified in the FastAPI Api Key library, specifically in version 1.1.0. The issue arises in the verify_key() method, which applies a random delay only when verification fails. This behavior allows an attacker to statistically differentiate between valid and invalid API keys by measuring response times. With enough repeated requests, it could be possible to determine if a key_id corresponds to a valid key, potentially speeding up brute-force or enumeration attacks. All users who relied on verify_key() for API key authentication prior to the fix are affected.

Impact

The vulnerability creates a timing side-channel that could be exploited to infer the validity of API keys, potentially accelerating brute-force or enumeration attacks.

Reproduction

The vulnerability can be reproduced by sending repeated requests to an API endpoint that uses the verify_key() method for authentication. By measuring the response times, an attacker can infer whether a key_id is valid or not, taking advantage of the timing discrepancies.

Remediation

Users should upgrade to FastAPI Api Key version 1.1.0 or later, which includes a patch for this vulnerability. The patch applies a uniform random delay to all verification responses, regardless of the outcome, eliminating the timing correlation. Additionally, users can add an application-level fixed delay or random jitter to all authentication responses before the fix is applied, and use rate limiting to reduce the feasibility of statistical timing attacks.