Overview
CVE-2024-40627 describes a security misconfiguration in the FastAPI OPA middleware where HTTP OPTIONS requests are always allowed without authentication because OpaMiddleware bypasses policy evaluation for OPTIONS. In real-world apps, this means an unauthenticated attacker can issue preflight requests and, depending on how the app responds to OPTIONS, infer information about which entities exist or are writable on the system. This can facilitate information disclosure or targeted enumeration of resources, undermining access control. The issue is categorized under CWE-204 (Progressive Disclosure / Information Exposure) and is specific to the OPA-based middleware for FastAPI rather than FastAPI itself. The vulnerability has been addressed in release 2.0.1 of the middleware, and users are advised to upgrade. There are no widely applicable workarounds other than upgrading.
In practice, if your application uses OpaMiddleware to enforce policy across endpoints, an OPTIONS preflight could bypass these checks, allowing attackers to discover existence or writability of resources based on different response patterns. This misconfiguration is particularly risky for APIs that differentiate responses for existing vs non-existing entities or for actions allowed on certain resources. Upgrading to the fixed version ensures OPTIONS requests are evaluated against policies as intended, closing the information-disclosure vector. After upgrading, validate that all methods, including OPTIONS, are consistently governed by policy decisions. CWE-204 is the guiding class here, reflecting unintended information exposure due to misconfigured controls.
To prevent recurrence in FastAPI projects, apply the upgrade and implement defensive measures as part of your deployment and testing practices, ensuring OPTIONS handling is subject to policy evaluation just like other methods, and consider explicit authentication for OPTIONS during transition. The combination of the official fix (upgrade) and defensive coding practices reduces the risk of inadvertent information disclosure via OPTIONS preflight traffic.
Affected Versions
2.0.0 and earlier (<= 2.0.0); fixed in 2.0.1
Code Fix Example
FastAPI API Security Remediation
Vulnerable pattern:
from fastapi import FastAPI
from opamiddleware import OpaMiddleware
app = FastAPI()
# Vulnerable: OPTIONS requests bypass policy evaluation
app.add_middleware(OpaMiddleware, policy_path='opa/policy.json')
@app.get('/entities/{entity_id}')
async def read_entity(entity_id: int):
return {"entity_id": entity_id, "exists": True}
@app.options('/entities/{entity_id}')
async def options_entity(entity_id: int):
# The response may reveal existence or permissions of the entity
return {"exists": True}
Fix (upgrade + defense-in-depth):
from fastapi import FastAPI, Request, HTTPException
from opamiddleware import OpaMiddleware
app = FastAPI()
# Fixed: upgrade to 2.0.1+ where OPTIONS are evaluated by policy
app.add_middleware(OpaMiddleware, policy_path='opa/policy.json')
# Optional defense-in-depth: enforce authentication for OPTIONS during transition
@app.middleware('http')
async def require_auth_for_options(request: Request, call_next):
if request.method == 'OPTIONS':
if not request.headers.get('Authorization'):
raise HTTPException(status_code=401)
return await call_next(request)
@app.get('/entities/{entity_id}')
async def read_entity(entity_id: int):
return {"entity_id": entity_id, "exists": True}