CVE-2025-53539
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-12-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastapi-guard | fastapi_guard | to 3.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53539 is a Regular Expression Denial of Service (ReDoS) vulnerability in the fastapi-guard library, specifically in its penetration attempts detection feature. The vulnerability arises because the library uses inefficient regex patterns with unbounded quantifiers to scan incoming requests for potential attacks. These patterns can cause polynomial time complexity backtracking when processing specially crafted inputs, leading to significant performance degradation. An attacker can exploit this by sending requests with repeated sequences of certain characters, causing the server to spend excessive time processing the regex and become unresponsive. This vulnerability affects versions up to 3.0.0 and was fixed in version 3.0.1 by bounding the regex quantifiers to prevent excessive backtracking. [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause denial-of-service (DoS) conditions by making the fastapi-guard middleware consume excessive CPU resources when processing specially crafted requests. This leads to significant delays or timeouts in handling requests, making the service unresponsive or slow. Since the penetration detection feature is enabled by default, any service using fastapi-guard without disabling this feature is vulnerable to such DoS attacks, potentially affecting availability and user experience. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high CPU usage or long request processing times in services using fastapi-guard with penetration detection enabled. A proof-of-concept involves sending specially crafted HTTP requests containing repeated sequences of characters such as '<', spaces, quotes, and 'url(' repeated multiple times, which trigger the inefficient regex patterns causing delays. For detection, you can use network traffic capture tools like tcpdump or Wireshark to identify such suspicious payloads. Additionally, you can use curl or HTTP client commands to send test payloads to your FastAPI service and observe response times. Example command to test the vulnerability: curl -X GET 'http://your-fastapi-service/' -d '<url(url(url(url(url(... repeated n times ...)))' and measure the response time. Monitoring logs for slow request handling or timeouts can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the fastapi-guard package to version 3.0.1 or later, where the vulnerability is fixed by bounding regex quantifiers to prevent catastrophic backtracking. If upgrading is not immediately possible, you can disable the penetration detection feature by setting enable_penetration_detection=False in the middleware configuration to avoid processing the vulnerable regex patterns. Additionally, monitoring and rate-limiting incoming requests can help reduce the risk of denial-of-service attacks exploiting this vulnerability. [1, 2]