Overview
Security misconfiguration in FastAPI deployments can lead to cross-site scripting (XSS) when user-supplied input is reflected in HTML responses. CVE-2024-42816 describes an XSS flaw in the Create Product function of fastapi-admin pro v0.1.4, where an attacker can inject arbitrary HTML or JavaScript via the Product Name parameter. If the vulnerable admin UI renders that value without proper escaping, the payload can execute in the browser of an administrator, potentially leading to cookie theft, session hijacking, or actions performed on behalf of the user. This vulnerability maps to CWE-79: Improper Neutralization of Input During Web Page Generation.
Exploitation path typically involves submitting a crafted product name containing script tags or event handlers. The server may interpolate this value directly into an HTML snippet or render it through a template without escaping, causing the attack payload to become part of the served page. In admin interfaces exposed to the internet or inadequately authenticated environments, this can enable broader compromise across users.
Remediation focuses on safe rendering and up-to-date dependencies. Upgrade fastapi-admin pro to the patched release that fixes CVE-2024-42816, enable proper escaping in templates, and avoid direct HTML string concatenation with untrusted data. Prefer template engines with autoescaping and, when needed, sanitize inputs with html.escape or strict validators. Apply a Content Security Policy and production-hardening settings to reduce XSS impact.
Adopt safe defaults for FastAPI apps: disable debug in production, validate and escape all user-controlled content, audit endpoints that render HTML, and implement tests that simulate XSS payloads against product creation and similar routes. This approach helps mitigate CVE-2024-42816 and similar security misconfiguration issues in FastAPI-based deployments.
Affected Versions
fastapi-admin pro v0.1.4
Code Fix Example
FastAPI API Security Remediation
VULNERABLE CODE:
from fastapi import FastAPI
from fastapi.responses import HTMLResponse
from pydantic import BaseModel
app = FastAPI()
class Product(BaseModel):
name: str
@app.post('/admin/create_product')
async def create_product(p: Product):
# Vulnerable: user input is embedded directly into HTML
html = f'<html><body><h1>Product Created</h1><p>Name: {p.name}</p></body></html>'
return HTMLResponse(content=html)
FIXED CODE (Option A: html.escape):
from fastapi import FastAPI
from fastapi.responses import HTMLResponse
from pydantic import BaseModel
import html as htmllib
app = FastAPI()
class Product(BaseModel):
name: str
@app.post('/admin/create_product')
async def create_product(p: Product):
safe_name = htmllib.escape(p.name, quote=True)
html = f'<html><body><h1>Product Created</h1><p>Name: {safe_name}</p></body></html>'
return HTMLResponse(content=html)
FIXED CODE (Option B: Jinja2 templates with autoescape):
from fastapi import FastAPI, Request
from fastapi.responses import HTMLResponse
from fastapi.templating import Jinja2Templates
from pydantic import BaseModel
app = FastAPI()
templates = Jinja2Templates(directory='templates')
class Product(BaseModel):
name: str
@app.post('/admin/create_product')
async def create_product(request: Request, p: Product):
return templates.TemplateResponse('product_created.html', {'request': request, 'name': p.name})
# templates/product_created.html would contain:
# <html><body><h1>Product Created</h1><p>Name: {{ name }}</p></body></html>