Cross-Site Request Forgery in Webargs
High severity
GitHub Reviewed
Published
Apr 7, 2021
to the GitHub Advisory Database
•
Updated Nov 19, 2024
Package
Affected versions
>= 5.0.0, < 5.5.3
>= 6.0.0b1, < 6.0.0b4
Patched versions
5.5.3
6.0.0b4
Description
Published by the National Vulnerability Database
Jan 29, 2020
Reviewed
Mar 29, 2021
Published to the GitHub Advisory Database
Apr 7, 2021
Last updated
Nov 19, 2024
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.
References