Arch Linux Security Advisory ASA-202107-6
=========================================

Severity: Medium
Date    : 2021-07-01
CVE-ID  : CVE-2021-32677
Package : python-fastapi
Type    : cross-site request forgery
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2060

Summary
=======

The package python-fastapi before version 0.65.2-1 is vulnerable to
cross-site request forgery.

Resolution
==========

Upgrade to 0.65.2-1.

# pacman -Syu "python-fastapi>=0.65.2-1"

The problem has been fixed upstream in version 0.65.2.

Workaround
==========

To mitigate the issue, it would be possible to add a middleware or a
dependency that checks the content-type header and aborts the request
if it is not application/json or another JSON compatible content type.

Description
===========

FastAPI versions lower than 0.65.2 that used cookies for authentication
in path operations that received JSON payloads sent by browsers were
vulnerable to a Cross-Site Request Forgery (CSRF) attack.

In versions lower than 0.65.2, FastAPI would try to read the request
payload as JSON even if the content-type header sent was not set to
application/json or a compatible JSON media type (e.g.
application/geo+json).

So, a request with a content type of text/plain containing JSON data
would be accepted and the JSON data would be extracted.

But requests with content type text/plain are exempt from CORS
preflights, for being considered Simple requests. So, the browser would
execute them right away including cookies, and the text content could
be a JSON string that would be parsed and accepted by the FastAPI
application.

Impact
======

A remote attacker could perform cross-origin request forgery (CSRF)
attacks on FastAPI applications accepting JSON payloads.

References
==========

https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7
https://github.com/tiangolo/fastapi/pull/2118
https://github.com/tiangolo/fastapi/commit/fa7e3c996edf2d5482fff8f9d890ac2390dede4d
https://security.archlinux.org/CVE-2021-32677