CVE-2025-53539: fastapi-guard is vulnerable to ReDoS through inefficient regex

July 7, 2025

fastapi-guard detects penetration attempts by using regex patterns to scan incoming requests. However, some of the regex patterns used in detection are extremely inefficient and can cause polynomial complexity backtracks when handling specially crafted inputs.

It is not as severe as exponential complexity ReDoS, but still downgrades performance and allows DoS exploits. An attacker can trigger high cpu usage and make a service unresponsive for hours by sending a single request in size of KBs.

References

github.com/advisories/GHSA-j47q-rc62-w448
github.com/rennf93/fastapi-guard
github.com/rennf93/fastapi-guard/commit/d9d50e8130b7b434cdc1b001b8cfd03a06729f7f
github.com/rennf93/fastapi-guard/security/advisories/GHSA-j47q-rc62-w448
nvd.nist.gov/vuln/detail/CVE-2025-53539

Code Behaviors & Features

Detect and mitigate CVE-2025-53539 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →