CVE-2025-54365 HIGH

CVE-2025-54365: fastapi-guard patch contains bypassable RegEx

Vendor Rennf93
Product fastapi-guard
Weakness CWE-20 · Input validation
Published July 23, 2025
Last update July 24, 2025

CVSS base score

7.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

fastapi-guard is a security library for FastAPI that provides middleware to control IPs, log requests, detect penetration attempts and more. In version 3.0.1, the regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch inputs that exceed this limit. This type of patch fails to detect cases in which the string representing the attributes of a <script> tag exceeds 100 characters. As a result, most of the regex patterns present in version 3.0.1 can be bypassed. This is fixed in version 3.0.2.

Key dates

02Disclosure timeline

July 23, 2025 CVE published
July 24, 2025 Record updated