Aigent.ly — Vulnerability Prevention for AI-Generated Code

AI Security Summary

FastAPI's dominant attack surface spans unauthenticated route exposure, middleware trust misplacement, and missing ownership enforcement on resource endpoints. The recurring mistake is treating framework routing and third-party middleware as implicit security boundaries rather than writing explicit, per-request authorization checks.

Unauthenticated Code Execution via Unprotected Eval Endpoints

Covers: CVE-2025-3248 Risk: ACTIVELY EXPLOITED: attackers reach Python eval/exec endpoints with no auth gate, achieving full remote code execution on the server.

NEVER expose any endpoint that evaluates, compiles, or executes user-supplied Python code without requiring authenticated, authorized session validation first.
ALWAYS gate code-execution or scripting endpoints with explicit dependency-injected auth, not just path placement or API key hints in docs.
NEVER treat an internal or 'admin' URL prefix as a substitute for programmatic authentication enforcement.
ALWAYS perform input validation that rejects executable content types (AST, bytecode, eval strings) before any processing logic runs.

IP-Based Authorization Bypass via Spoofed Forwarding Headers

Covers: CVE-2025-46814 Risk: Attackers forge X-Forwarded-For or similar proxy headers to impersonate trusted IPs and bypass network-layer access controls.

NEVER use X-Forwarded-For, X-Real-IP, or CF-Connecting-IP as the sole basis for IP-based access control decisions.
ALWAYS derive the trusted client IP exclusively from the actual socket/transport layer when making security-sensitive allow/deny decisions.
NEVER assume middleware IP-allowlisting libraries handle header spoofing correctly without explicitly configuring a trusted proxy list.
ALWAYS validate that the number of hops in the forwarding chain matches your known proxy topology before trusting any IP value.

Middleware Regex Bypass Allowing Injection Payloads

Covers: CVE-2025-54365 Risk: Bounded or length-limited regex patterns in middleware can be bypassed with oversized or crafted payloads, allowing XSS and SQLi through unvalidated input.

NEVER rely solely on middleware regex patterns as the last line of defense against injection; enforce input constraints at the handler level too.
ALWAYS define regex-based input filters with explicit anchoring (^ and $) and length guards applied before the pattern is evaluated.
NEVER assume a WAF or guard middleware will catch all variants of an injection payload — validate and parameterize at the data layer unconditionally.
ALWAYS test security middleware with inputs that exceed expected length bounds, contain unicode escapes, and use alternate encodings.

Missing Ownership Enforcement on Resource ID Routes (IDOR)

Covers: CVE-2025-59034 Risk: FastAPI routes accepting resource ID path parameters with stub or absent ownership checks let authenticated users access and modify other users' resources.

NEVER implement resource-ID authorization as a stub, pass-through, or TODO placeholder in any code path reachable from a route.
ALWAYS verify that the authenticated principal owns or is explicitly granted access to the resource ID before returning or mutating data.
ALWAYS use a shared, tested dependency (e.g., FastAPI Depends) for ownership checks so the logic cannot be silently skipped per-route.
NEVER conflate authentication (who are you?) with authorization (do you own this resource?) — both checks must be present and non-empty.

CSRF via Content-Type Trust Bypass

Covers: CVE-2021-32677 Risk: FastAPI accepting JSON payloads from text/plain requests allows cross-origin forms to trigger state-changing API calls without CORS preflight.

NEVER process a request body as JSON unless the Content-Type header is strictly application/json, validated server-side before deserialization.
ALWAYS enforce CSRF tokens or require the SameSite=Strict cookie attribute on any endpoint that mutates server state.
NEVER depend on browser CORS preflight behavior as a CSRF defense — explicitly reject non-canonical content types in the handler or middleware.

Cross-cutting patterns (all FastAPI / Python projects)

ALWAYS implement authorization as an explicit, mandatory FastAPI Depends() on every route — never as an optional decorator or documentation annotation.
NEVER trust any value that originates from an HTTP header (Content-Type, X-Forwarded-For, Origin) for security decisions without server-side canonicalization.
ALWAYS treat third-party FastAPI middleware as defense-in-depth only, never as the sole enforcement point for authentication, authorization, or injection filtering.

AI Security Summary

Unauthenticated Code Execution via Unprotected Eval Endpoints

Covers: CVE-2025-3248 Risk: ACTIVELY EXPLOITED: attackers reach Python eval/exec endpoints with no auth gate, achieving full remote code execution on the server.

NEVER expose any endpoint that evaluates, compiles, or executes user-supplied Python code without requiring authenticated, authorized session validation first.
ALWAYS gate code-execution or scripting endpoints with explicit dependency-injected auth, not just path placement or API key hints in docs.
NEVER treat an internal or 'admin' URL prefix as a substitute for programmatic authentication enforcement.
ALWAYS perform input validation that rejects executable content types (AST, bytecode, eval strings) before any processing logic runs.

IP-Based Authorization Bypass via Spoofed Forwarding Headers

Covers: CVE-2025-46814 Risk: Attackers forge X-Forwarded-For or similar proxy headers to impersonate trusted IPs and bypass network-layer access controls.

NEVER use X-Forwarded-For, X-Real-IP, or CF-Connecting-IP as the sole basis for IP-based access control decisions.
ALWAYS derive the trusted client IP exclusively from the actual socket/transport layer when making security-sensitive allow/deny decisions.
NEVER assume middleware IP-allowlisting libraries handle header spoofing correctly without explicitly configuring a trusted proxy list.
ALWAYS validate that the number of hops in the forwarding chain matches your known proxy topology before trusting any IP value.

Middleware Regex Bypass Allowing Injection Payloads

Covers: CVE-2025-54365 Risk: Bounded or length-limited regex patterns in middleware can be bypassed with oversized or crafted payloads, allowing XSS and SQLi through unvalidated input.

NEVER rely solely on middleware regex patterns as the last line of defense against injection; enforce input constraints at the handler level too.
ALWAYS define regex-based input filters with explicit anchoring (^ and $) and length guards applied before the pattern is evaluated.
NEVER assume a WAF or guard middleware will catch all variants of an injection payload — validate and parameterize at the data layer unconditionally.
ALWAYS test security middleware with inputs that exceed expected length bounds, contain unicode escapes, and use alternate encodings.

Missing Ownership Enforcement on Resource ID Routes (IDOR)

Covers: CVE-2025-59034 Risk: FastAPI routes accepting resource ID path parameters with stub or absent ownership checks let authenticated users access and modify other users' resources.

NEVER implement resource-ID authorization as a stub, pass-through, or TODO placeholder in any code path reachable from a route.
ALWAYS verify that the authenticated principal owns or is explicitly granted access to the resource ID before returning or mutating data.
ALWAYS use a shared, tested dependency (e.g., FastAPI Depends) for ownership checks so the logic cannot be silently skipped per-route.
NEVER conflate authentication (who are you?) with authorization (do you own this resource?) — both checks must be present and non-empty.

CSRF via Content-Type Trust Bypass

Covers: CVE-2021-32677 Risk: FastAPI accepting JSON payloads from text/plain requests allows cross-origin forms to trigger state-changing API calls without CORS preflight.

NEVER process a request body as JSON unless the Content-Type header is strictly application/json, validated server-side before deserialization.
ALWAYS enforce CSRF tokens or require the SameSite=Strict cookie attribute on any endpoint that mutates server state.
NEVER depend on browser CORS preflight behavior as a CSRF defense — explicitly reject non-canonical content types in the handler or middleware.

Cross-cutting patterns (all FastAPI / Python projects)

ALWAYS implement authorization as an explicit, mandatory FastAPI Depends() on every route — never as an optional decorator or documentation annotation.
NEVER trust any value that originates from an HTTP header (Content-Type, X-Forwarded-For, Origin) for security decisions without server-side canonicalization.
ALWAYS treat third-party FastAPI middleware as defense-in-depth only, never as the sole enforcement point for authentication, authorization, or injection filtering.

FastAPI / Python security patterns

Protects against

Rule body

AI Security Summary

Unauthenticated Code Execution via Unprotected Eval Endpoints

IP-Based Authorization Bypass via Spoofed Forwarding Headers

Middleware Regex Bypass Allowing Injection Payloads

Missing Ownership Enforcement on Resource ID Routes (IDOR)

CSRF via Content-Type Trust Bypass

AI Security Summary

Unauthenticated Code Execution via Unprotected Eval Endpoints

IP-Based Authorization Bypass via Spoofed Forwarding Headers

Middleware Regex Bypass Allowing Injection Payloads

Missing Ownership Enforcement on Resource ID Routes (IDOR)

CSRF via Content-Type Trust Bypass