Overview
CVE-2024-42816 describes a cross-site scripting (XSS) vulnerability in the Create Product flow of fastapi-admin pro v0.1.4, where an attacker can inject arbitrary script or HTML via the Product Name field. This is an instance of CWE-79: Improper Neutralization of Input During Web Page Generation (XSS). In real-world scenarios, an admin interface that echoes user-supplied product names back into HTML without proper escaping can execute injected scripts in the administrator's browser, potentially leaking session data, credentials, or performing actions on behalf of the admin. The impact is particularly severe for internal tools and dashboards where trusted users inadvertently render untrusted content. The CVE highlights the need to treat product metadata as untrusted data and enforce strict output encoding and input validation across the frontend and backend boundaries. The vulnerability manifests when the server concatenates user input into HTML responses or templates without applying proper escaping, allowing the payload to run in the context of the app.
Affected Versions
fastapi-admin pro v0.1.4
Code Fix Example
FastAPI API Security Remediation
from fastapi import FastAPI, Form
from fastapi.responses import HTMLResponse
import html as html_lib
app = FastAPI()
# Vulnerable pattern: echoes user input directly into HTML without escaping
@app.post("/vuln/products/create")
async def create_product_vuln(name: str = Form(...)):
html_content = f"""
<!DOCTYPE html>
<html>
<body>
<h1>Product Created</h1>
<p>Product Name: {name}</p>
</body>
</html>
"""
return HTMLResponse(content=html_content)
# Fixed pattern: escape user input before rendering to HTML
@app.post("/fix/products/create")
async def create_product_fix(name: str = Form(...)):
safe_name = html_lib.escape(name, quote=True)
html_content = f"""
<!DOCTYPE html>
<html>
<body>
<h1>Product Created</h1>
<p>Product Name: {safe_name}</p>
</body>
</html>
"""
return HTMLResponse(content=html_content)