CVE-2025-53539: 
Python vulnerability analysis and mitigation

FastAPI Guard is a security library for FastAPI that provides middleware to control IPs, log requests, and detect penetration attempts. A vulnerability was discovered in versions up to 3.0.0 where the penetration attempts detection feature uses inefficient regex patterns to scan incoming requests, leading to polynomial complexity backtracks when handling specially crafted inputs. The vulnerability was disclosed on July 7, 2025 and assigned CVE-2025-53539 (NVD, GitHub Advisory).

The vulnerability stems from unbounded regex quantifiers in the penetration detection patterns that can cause polynomial complexity backtracking. When processing specially crafted inputs, these inefficient patterns can trigger excessive CPU usage. The vulnerability has been assigned CWE-1333 (Inefficient Regular Expression Complexity) and received a CVSS v4.0 score of 6.9 MEDIUM with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (Miggo).

Since penetration detection is enabled by default, services using fastapi-guard middleware without explicitly disabling this feature are vulnerable to Denial of Service (DoS) attacks. An attacker can trigger high CPU usage and make a service unresponsive for hours by sending a single request in size of KBs. Single-threaded uvicorn workers cannot handle any other concurrent requests during the processing of malicious input (GitHub Advisory).

The vulnerability has been fixed in version 3.0.1 by replacing unbounded regex quantifiers with bounded ones to prevent catastrophic backtracking. For users unable to upgrade immediately, a workaround is available by explicitly setting enablepenetrationdetection=False in the middleware configuration (GitHub Commit).