CVE-2025-54365: 
Python vulnerability analysis and mitigation

fastapi-guard is a security library for FastAPI that provides middleware to control IPs, log requests, detect penetration attempts and more. In version 3.0.1, a vulnerability was discovered where the regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch inputs that exceed this limit. This vulnerability (CVE-2025-54365) affects version 3.0.1 and was fixed in version 3.0.2. The issue was discovered on July 23, 2025 (GitHub Advisory).

The vulnerability stems from an improper implementation of string length limitations in regular expressions meant to prevent ReDoS attacks. The patch in version 3.0.1 attempted to mitigate ReDoS by adding bounded quantifiers (e.g., changing ]*>[^<]*</script\s*> to ]{0,100}>[^<]{0,1000}</script\s{0,10}>), but this implementation fails to catch cases where the string representing the attributes of a tag exceeds the specified character limits. This allows attackers to bypass most of the regex patterns present in version 3.0.1. The vulnerability has been assigned a CVSS v4.0 score of 7.8 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:P (NVD).

Due to this vulnerability, most of the regex patterns can potentially be bypassed, making the application vulnerable to various attacks such as Cross-Site Scripting (XSS) and SQL Injection. The bypass allows attackers to circumvent security controls that rely on these regex patterns for input validation (GitHub Advisory).

The vulnerability has been fixed in version 3.0.2 of fastapi-guard. The fix includes adding a timeout mechanism to prevent catastrophic backtracking and implementing proper regex pattern matching. Users should upgrade to version 3.0.2 which introduces a new regex_timeout parameter to SecurityConfig to allow for custom timeout settings for regex pattern matching (GitHub Commit).