Overview
CVE-2024-40627 describes a vulnerability in the Fastapi OPA middleware used with FastAPI applications. The flaw causes HTTP OPTIONS requests to be allowed without proper authentication and to bypass policy evaluation, allowing these preflight-like requests to pass through directly to the application. Because OPTIONS responses can differ based on whether a resource exists or has write permissions, an unauthenticated attacker could deduce which entities are present in the system, effectively enabling resource enumeration. This aligns with CWE-204 (Missing Authentication for Critical Function) by exposing sensitive existence information through unauthenticated preflight handling. The issue was addressed in the release of fastapi-opa version 2.0.1, and upgrading is strongly advised to mitigate the risk. There are no known workarounds that safely address this behavior without upgrading.
In real FastAPI deployments, this vulnerability manifests when an application relies on fastapi-opa or similar middleware for authorization but does not enforce authentication checks for OPTIONS requests or fully evaluate policies for preflight requests. Attackers can issue OPTIONS requests to various endpoints and observe varying responses or headers that reveal the existence or state of resources, effectively performing foot-gunning inventory discovery on the API surface. This is particularly problematic for publicly exposed APIs or services behind a permissive policy or misconfigured CORS setup, where OPTIONS may be permitted even when other methods require authorization.
The core remediation is to upgrade to a fixed version (fastapi-opa 2.0.1 or later) so that OPTIONS requests are evaluated under the same policy as other methods. If upgrading is not possible, implement compensating controls to ensure OPTIONS requests are authenticated and policy-checked, and audit policies to avoid unintended information disclosure. Additionally, adopt secure defaults for policy evaluation, validate that all request methods are consistently authorized, and include testing that explicitly probes OPTIONS behavior for potential leakage.
References: CVE-2024-40627, CWE-204, and the vendor fix in fastapi-opa 2.0.1.
Affected Versions
<= 2.0.0
Code Fix Example
FastAPI API Security Remediation
Vulnerable pattern
# vulnerable_example.py
from fastapi import FastAPI
from fastapi_opa import OpaMiddleware
app = FastAPI()
# Vulnerable: OPTIONS requests bypass authentication due to OpaMiddleware behavior
app.add_middleware(OpaMiddleware, opa_url="http://localhost:8181/v1/data/policy")
@app.get("/resources/{resource_id}")
async def read_resource(resource_id: int):
return {"resource_id": resource_id}
Fixed pattern
# fixed_example.py
from fastapi import FastAPI, Request, HTTPException
from fastapi_opa import OpaMiddleware
app = FastAPI()
# Fixed: upgrade to fastapi-opa 2.0.1 which enforces policy for OPTIONS
app.add_middleware(OpaMiddleware, opa_url="http://localhost:8181/v1/data/policy")
# If upgrading is not possible, explicitly guard OPTIONS with authentication
@app.options("/resources/{resource_id}")
async def options_resource(request: Request, resource_id: int):
if "Authorization" not in request.headers:
raise HTTPException(status_code=401, detail="Unauthorized")
return {}
@app.get("/resources/{resource_id}")
async def read_resource(resource_id: int):
return {"resource_id": resource_id}