CVE-2025-54365 Overview
A security bypass vulnerability has been identified in fastapi-guard, a security library for FastAPI that provides middleware for IP control, request logging, and penetration attempt detection. In version 3.0.1, the regular expression patterns designed to mitigate ReDoS (Regular Expression Denial of Service) vulnerabilities contain a flaw that allows attackers to bypass security controls. The patches that were implemented to limit string length fail to properly validate inputs that exceed the defined limits, specifically when script tag attributes exceed 100 characters.
Critical Impact
Attackers can bypass security protections in fastapi-guard by crafting malicious payloads with script tag attributes exceeding 100 characters, allowing potential XSS attacks and penetration attempts to evade detection.
Affected Products
- fastapi-guard fastapi_guard version 3.0.1
- Applications using fastapi-guard middleware for security controls
- FastAPI applications relying on fastapi-guard for input validation and XSS prevention
Discovery Timeline
- 2025-07-23 - CVE CVE-2025-54365 published to NVD
- 2025-10-09 - Last updated in NVD database
Technical Details for CVE-2025-54365
Vulnerability Analysis
This vulnerability represents a classic input validation bypass in regex-based security controls. The fastapi-guard library implements regular expression patterns to detect malicious script tags and other penetration attempts. In version 3.0.1, a ReDoS mitigation was applied that attempted to limit the length of matched strings to prevent algorithmic complexity attacks. However, this length limitation contains a critical flaw: it fails to properly handle inputs that exceed the defined character limit.
When an attacker crafts a payload where the attributes of a <script> tag exceed 100 characters, the regex pattern fails to match the input entirely rather than rejecting it. This allows the malicious payload to pass through the security middleware undetected, effectively rendering the XSS and penetration detection capabilities useless against sufficiently long payloads.
Root Cause
The root cause stems from improper regex pattern design (CWE-1333: Inefficient Regular Expression Complexity) combined with improper input validation (CWE-20). The regex patterns were modified to include length limitations as a ReDoS mitigation, but the implementation assumes that limiting the match length would also reject longer inputs. Instead, inputs exceeding the length threshold simply fail to match and are allowed through without triggering security alerts.
Attack Vector
The vulnerability is exploitable over the network without authentication. An attacker can craft HTTP requests containing malicious script tags with attributes exceeding 100 characters. These payloads bypass the regex-based detection mechanisms in fastapi-guard, allowing:
- XSS Attack Bypass: Malicious JavaScript payloads embedded in long script tags evade detection
- Penetration Detection Bypass: Security monitoring fails to log or block malicious requests
- Security Control Circumvention: The entire middleware protection layer becomes ineffective for crafted payloads
The fix implemented in version 3.0.2 addresses this by modifying regex patterns to use appropriate length limitations that properly handle edge cases. As seen in the patch for cloud_handler.py:
# Before (vulnerable pattern with implicit length issues)
pattern = r'href=[\"\\'](https://download\\.microsoft\\.com/' r'.*?\\.json)[\"\\']'
# After (fixed pattern with explicit length bounds)
pattern = r'href=[\"\\'](https://download\\.microsoft\\.com/.{1,500}?\\.json)[\"\\']'
Source: GitHub Commit
Detection Methods for CVE-2025-54365
Indicators of Compromise
- HTTP requests containing unusually long script tag attributes (exceeding 100 characters)
- Web application logs showing requests with extended attribute strings in HTML tags
- Failed security alerts where similar shorter payloads would normally trigger detection
Detection Strategies
- Review fastapi-guard version deployed in production environments and verify version is 3.0.2 or later
- Implement additional WAF rules to detect script tags with attributes exceeding normal lengths
- Audit application logs for requests containing suspicious HTML patterns that bypass built-in detection
- Deploy behavioral analysis to identify anomalous request patterns targeting the middleware
Monitoring Recommendations
- Enable verbose logging in FastAPI applications to capture all incoming request payloads
- Monitor for XSS attack patterns in downstream application layers that may indicate bypass
- Set up alerts for requests with unusual content lengths or patterns matching script injection attempts
- Correlate web server logs with application-level security events to identify detection gaps
How to Mitigate CVE-2025-54365
Immediate Actions Required
- Upgrade fastapi-guard to version 3.0.2 or later immediately
- Review application logs for any evidence of exploitation attempts using long script tag attributes
- Implement additional input validation at the application layer as defense-in-depth
- Consider deploying a Web Application Firewall (WAF) with robust XSS detection capabilities
Patch Information
The vulnerability has been fixed in fastapi-guard version 3.0.2. The security patches address the regex pattern bypass by implementing proper length boundary handling. Organizations should update their Python dependencies to include the patched version.
For detailed patch information, refer to the GitHub Security Advisory and the relevant commits:
Workarounds
- Implement additional regex patterns at the application level that explicitly check for and reject inputs with script tag attributes exceeding safe lengths
- Deploy a WAF or reverse proxy with XSS detection capabilities upstream of the FastAPI application
- Add custom middleware to normalize and truncate suspicious HTML-like content before it reaches fastapi-guard
- Consider input length validation at the API gateway level to reject abnormally large payloads
# Upgrade fastapi-guard to patched version
pip install --upgrade fastapi-guard>=3.0.2
# Verify installed version
pip show fastapi-guard | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
