Overview
CVE-2024-42816 describes a cross-site scripting (XSS) vulnerability in the Create Product function of fastapi-admin pro v0.1.4. An attacker can supply a crafted payload in the Product Name parameter to execute arbitrary web scripts or HTML in the admin user's browser (CWE-79). This can lead to session hijacking, credential theft, or UI data tampering within the admin interface. The vulnerability demonstrates how untrusted input, when rendered into HTML without proper escaping, creates a trusted context for attackers to run scripts in the victim’s browser. This CVE highlights the need for strict output encoding and safe rendering practices in FastAPI-based admin components that generate HTML from user-provided data.
Affected Versions
fastapi-admin pro v0.1.4
Code Fix Example
FastAPI API Security Remediation
from fastapi import FastAPI, Request
from fastapi.responses import HTMLResponse
from pydantic import BaseModel
from markupsafe import escape
app = FastAPI()
class ProductIn(BaseModel):
name: str
# Vulnerable pattern (do not use in production)
@app.post('/products')
async def create_product(request: Request, p: ProductIn):
# DO NOT DO THIS: directly embed user input into HTML
html = f"<html><body><h1>Product: {p.name}</h1></body></html>"
return HTMLResponse(content=html)
# Safe pattern: escape user input before rendering
@app.post('/products-safe')
async def create_product_safe(request: Request, p: ProductIn):
safe_name = escape(p.name)
html = f"<html><body><h1>Product: {safe_name}</h1></body></html>"
return HTMLResponse(content=html)