CVE-2025-54365 is a high-severity vulnerability affecting the fastapi-guard security library version 3.0.1, which is designed as middleware for FastAPI applications to control IP addresses, log requests, and detect penetration attempts. The vulnerability arises from improper input validation (CWE-20) and flawed regular expression handling (CWE-185). Specifically, the patch introduced in version 3.0.1 to mitigate a Regular Expression Denial of Service (ReDoS) vulnerability limits the length of input strings to prevent excessive processing time. However, this patch fails to detect inputs where the string representing the attributes of a <script> tag exceeds 100 characters. Consequently, the majority of the regex patterns intended to filter or detect malicious input can be bypassed by attackers submitting crafted inputs that exceed this length threshold. This bypass undermines the security controls fastapi-guard provides, potentially allowing malicious payloads such as cross-site scripting (XSS) or other injection attacks to pass through undetected. The issue is fixed in version 3.0.2. The CVSS 4.0 base score is 7.8 (high), reflecting network attack vector, low attack complexity, no privileges or user interaction required, no confidentiality impact, low integrity impact, and high availability impact, with partial exploit code maturity. No known exploits are currently reported in the wild. The vulnerability affects all deployments using fastapi-guard versions >= 3.0.1 and < 3.0.2, which are integrated into FastAPI-based web applications relying on this middleware for security filtering.

For European organizations, this vulnerability could lead to significant security risks, especially for those relying on FastAPI frameworks with fastapi-guard middleware for web application security. The bypass of input validation and filtering mechanisms can enable attackers to inject malicious scripts or payloads, potentially leading to cross-site scripting (XSS), data manipulation, or denial of service conditions. This can compromise the integrity and availability of web services, disrupt business operations, and damage organizational reputation. Given the high availability impact indicated by the CVSS score, critical web-facing applications could be rendered partially or fully unavailable. Additionally, regulatory frameworks such as GDPR impose strict requirements on data protection and breach notification; exploitation of this vulnerability could lead to compliance violations and associated penalties. The lack of required authentication or user interaction means attacks can be automated and launched remotely, increasing the risk of widespread exploitation if unpatched.

European organizations should immediately upgrade fastapi-guard to version 3.0.2 or later, where the vulnerability is fixed. Until upgrade is possible, organizations should implement additional input validation and sanitization at the application level, specifically targeting long attribute strings in HTML tags such as <script>. Employing Web Application Firewalls (WAFs) with custom rules to detect and block unusually long or suspicious input patterns can provide a temporary defense. Monitoring and logging should be enhanced to detect anomalous request patterns indicative of exploitation attempts. Security teams should conduct code reviews and penetration testing focused on input validation bypass scenarios. Furthermore, organizations should ensure that their incident response plans include procedures for handling potential exploitation of this vulnerability. Finally, developers should be educated about the limitations of regex-based input validation and encouraged to adopt defense-in-depth strategies.