fastapi-security-deps-v1Certifiedv1.0.0

FastAPI / Python security dependency alerts

Dependency vulnerability alerts for FastAPI / Python (advisory; requires confirmation).

Protects against

CVE-2021-32677 CVE-2023-29159 CVE-2023-30798 CVE-2024-33663 CVE-2024-33664 CVE-2024-3772 CVE-2024-47874 CVE-2025-3248 CVE-2025-46814 CVE-2025-53539 CVE-2025-54121 CVE-2025-54365 CVE-2025-59034 CVE-2025-62727

Rule body

# FastAPI / Python security dependency alerts

Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files.

Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades.

### CVE-2025-3248 — FastAPI unauthenticated RCE via code eval endpoint (Langflow)

Context: An unauthenticated code-validation endpoint allowed arbitrary Python execution via Langflow integration. Actively exploited in the wild.
Source: https://cloudsmith.com/blog/cve-2025-3248

WHEN you detect `langflow` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-3248: langflow may be vulnerable. An unauthenticated code-validation endpoint allowed arbitrary Python execution via Langflow integration. Actively exploited in the wild. Patched versions: langflow >=1.3.0

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show langflow`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2025-46814 — FastAPI Guard Auth Bypass via X-Forwarded-For

Context: Attackers can spoof X-Forwarded-For to bypass naive IP allowlists in front of FastAPI apps.
Source: https://www.sentinelone.com/vulnerability-database/cve-2025-46814/

WHEN you detect `fastapi-guard` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-46814: fastapi-guard may be vulnerable. Attackers can spoof X-Forwarded-For to bypass naive IP allowlists in front of FastAPI apps. Patched versions: fastapi-guard >=2.0.0

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi-guard`

DO NOT modify dependency files without developer confirmation.

---

### CVE-2025-54365 — FastAPI Guard regex bypass — XSS/SQLi through middleware

Context: Regex-only middleware was bypassed with oversized payloads, allowing XSS/SQLi-class abuse.
Source: https://www.miggo.io/vulnerability-database/cve/CVE-2025-54365

WHEN you detect `fastapi-guard` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-54365: fastapi-guard may be vulnerable. Regex-only middleware was bypassed with oversized payloads, allowing XSS/SQLi-class abuse. Patched versions: fastapi-guard >=3.0.2

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi-guard`

DO NOT modify dependency files without developer confirmation.

---

### CVE-2025-59034 — FastAPI IDOR — route missing authorization check (found by Claude Code)

Context: Resource IDs in routes were accepted without ownership checks, enabling IDOR across tenants.
Source: https://semgrep.dev/blog/2025/can-llms-detect-idors

WHEN you detect `fastapi` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-59034: fastapi may be vulnerable. Resource IDs in routes were accepted without ownership checks, enabling IDOR across tenants. Patched versions: fastapi manual fix

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi`

DO NOT modify dependency files without developer confirmation.

---

### CVE-2021-32677 — FastAPI CSRF via text/plain content-type bypass

Context: Older FastAPI accepted JSON bodies submitted as text/plain, weakening CSRF preflight assumptions.
Source: https://github.com/advisories/GHSA-8h2j-cgx8-6xv7

WHEN you detect `fastapi` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2021-32677: fastapi may be vulnerable. Older FastAPI accepted JSON bodies submitted as text/plain, weakening CSRF preflight assumptions. Patched versions: fastapi >=0.65.2

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi`

DO NOT modify dependency files without developer confirmation.

---

# FastAPI / Python security dependency alerts

Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files.

Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades.

### CVE-2025-3248 — FastAPI unauthenticated RCE via code eval endpoint (Langflow)

Context: An unauthenticated code-validation endpoint allowed arbitrary Python execution via Langflow integration. Actively exploited in the wild.
Source: https://cloudsmith.com/blog/cve-2025-3248

WHEN you detect `langflow` in this project at a vulnerable version:

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show langflow`

DO NOT modify dependency files without developer confirmation.

---

### CVE-2025-46814 — FastAPI Guard Auth Bypass via X-Forwarded-For

Context: Attackers can spoof X-Forwarded-For to bypass naive IP allowlists in front of FastAPI apps.
Source: https://www.sentinelone.com/vulnerability-database/cve-2025-46814/

WHEN you detect `fastapi-guard` in this project at a vulnerable version:

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi-guard`

DO NOT modify dependency files without developer confirmation.

---

### CVE-2025-54365 — FastAPI Guard regex bypass — XSS/SQLi through middleware

Context: Regex-only middleware was bypassed with oversized payloads, allowing XSS/SQLi-class abuse.
Source: https://www.miggo.io/vulnerability-database/cve/CVE-2025-54365

WHEN you detect `fastapi-guard` in this project at a vulnerable version:

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi-guard`

DO NOT modify dependency files without developer confirmation.

---

### CVE-2025-59034 — FastAPI IDOR — route missing authorization check (found by Claude Code)

Context: Resource IDs in routes were accepted without ownership checks, enabling IDOR across tenants.
Source: https://semgrep.dev/blog/2025/can-llms-detect-idors

WHEN you detect `fastapi` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-59034: fastapi may be vulnerable. Resource IDs in routes were accepted without ownership checks, enabling IDOR across tenants. Patched versions: fastapi manual fix

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi`

DO NOT modify dependency files without developer confirmation.

---

### CVE-2021-32677 — FastAPI CSRF via text/plain content-type bypass

Context: Older FastAPI accepted JSON bodies submitted as text/plain, weakening CSRF preflight assumptions.
Source: https://github.com/advisories/GHSA-8h2j-cgx8-6xv7

WHEN you detect `fastapi` in this project at a vulnerable version:

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi`

DO NOT modify dependency files without developer confirmation.

---

Rule body

# FastAPI / Python security dependency alerts

Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files.

Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades.

### CVE-2025-3248 — FastAPI unauthenticated RCE via code eval endpoint (Langflow)

Context: An unauthenticated code-validation endpoint allowed arbitrary Python execution via Langflow integration. Actively exploited in the wild.
Source: https://cloudsmith.com/blog/cve-2025-3248

WHEN you detect `langflow` in this project at a vulnerable version:

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show langflow`

DO NOT modify dependency files without developer confirmation.

---

### CVE-2025-46814 — FastAPI Guard Auth Bypass via X-Forwarded-For

Context: Attackers can spoof X-Forwarded-For to bypass naive IP allowlists in front of FastAPI apps.
Source: https://www.sentinelone.com/vulnerability-database/cve-2025-46814/

WHEN you detect `fastapi-guard` in this project at a vulnerable version:

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi-guard`

DO NOT modify dependency files without developer confirmation.

---

### CVE-2025-54365 — FastAPI Guard regex bypass — XSS/SQLi through middleware

Context: Regex-only middleware was bypassed with oversized payloads, allowing XSS/SQLi-class abuse.
Source: https://www.miggo.io/vulnerability-database/cve/CVE-2025-54365

WHEN you detect `fastapi-guard` in this project at a vulnerable version:

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi-guard`

DO NOT modify dependency files without developer confirmation.

---

### CVE-2025-59034 — FastAPI IDOR — route missing authorization check (found by Claude Code)

Context: Resource IDs in routes were accepted without ownership checks, enabling IDOR across tenants.
Source: https://semgrep.dev/blog/2025/can-llms-detect-idors

WHEN you detect `fastapi` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-59034: fastapi may be vulnerable. Resource IDs in routes were accepted without ownership checks, enabling IDOR across tenants. Patched versions: fastapi manual fix

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi`

DO NOT modify dependency files without developer confirmation.

---

### CVE-2021-32677 — FastAPI CSRF via text/plain content-type bypass

Context: Older FastAPI accepted JSON bodies submitted as text/plain, weakening CSRF preflight assumptions.
Source: https://github.com/advisories/GHSA-8h2j-cgx8-6xv7

WHEN you detect `fastapi` in this project at a vulnerable version:

CHECK for dependency conflicts before proposing any upgrade:
Run: `python -m pip show fastapi`

DO NOT modify dependency files without developer confirmation.

---