CVE-2025-54365 is a high-severity vulnerability affecting the fastapi-guard security library version 3.0.1, developed by rennf93. fastapi-guard is middleware designed for FastAPI applications to enhance security by controlling IP addresses, logging requests, and detecting penetration attempts. The vulnerability arises from improper input validation (CWE-20) and flawed regular expression handling (CWE-185) in the mitigation of a previous ReDoS (Regular Expression Denial of Service) vulnerability. Specifically, the patch introduced in version 3.0.1 limits the length of input strings to prevent ReDoS attacks but fails to detect inputs where the string representing the attributes of a <script> tag exceeds 100 characters. This failure allows attackers to bypass most regex-based security patterns implemented in the library, potentially enabling injection of malicious scripts or other payloads that the middleware is supposed to block. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Although no known exploits are currently in the wild, the high CVSS score of 7.8 reflects the significant risk posed by this flaw. The issue was addressed in version 3.0.2 of fastapi-guard, which corrects the regex validation logic to properly handle long attribute strings in <script> tags, restoring the intended security controls.

For European organizations deploying FastAPI applications with fastapi-guard version 3.0.1, this vulnerability could lead to successful bypass of security middleware protections. This may allow attackers to inject malicious scripts or payloads, potentially leading to cross-site scripting (XSS), data exfiltration, or further exploitation of backend systems. The compromise of web applications could result in significant confidentiality breaches, integrity violations, and availability disruptions. Given the middleware’s role in detecting penetration attempts and controlling IPs, bypassing these controls could also facilitate stealthier attacks and prolonged unauthorized access. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, face heightened risks including regulatory penalties under GDPR if personal data is exposed. The vulnerability’s network-exploitable nature means that any externally accessible FastAPI service using the affected version is at risk, increasing the attack surface for European enterprises relying on this technology stack.

European organizations should immediately audit their FastAPI deployments to identify usage of fastapi-guard version 3.0.1. The primary mitigation is to upgrade fastapi-guard to version 3.0.2 or later, where the regex validation flaw is fixed. Until the upgrade is applied, organizations should implement additional input validation and sanitization at the application level, specifically scrutinizing inputs that may contain <script> tags or unusually long attribute strings. Web Application Firewalls (WAFs) should be configured to detect and block suspicious payloads that attempt to exploit regex bypasses. Security teams should increase monitoring for anomalous request patterns indicative of attempted bypasses. Conducting penetration testing focused on input validation and regex bypass scenarios can help identify residual weaknesses. Finally, organizations should maintain an inventory of dependencies and integrate automated vulnerability scanning in their CI/CD pipelines to promptly detect and remediate such issues in the future.