When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options.
An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.
In this case, the process ID was 59461, then you can kill it (forcefully, with -9) with:
$ kill -9 59461
Impact
It's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using python-multipart. This way it also affects other libraries using Starlette, like FastAPI.
Original report to FastAPI
Hey Tiangolo!
My name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).
Here are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:
```Python
from typing import Annotated
from fastapi.responses import HTMLResponse
from fastapi import FastAPI,Form
from pydantic import BaseModel
class Item(BaseModel):
username: str
app = FastAPI()
@app.get("/", response_class=HTMLResponse)
async def index():
return HTMLResponse("Test", status_code=200)
@app.post("/submit/")
async def submit(username: Annotated[str, Form()]):
return {"username": username}
@app.post("/submit_json/")
async def submit_json(item: Item):
return {"username": item.username}
```
I'm running the above with uvicorn with the following command:
```console
uvicorn server:app
```
Then run the following cUrl command:
```
curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'
```
You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%
You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.
If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.
Cheers
#### Impact
An attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.
#### Occurrences
[params.py L586](https://togithub.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)
Release Notes
tiangolo/fastapi (fastapi)
### [`v0.109.1`](https://togithub.com/tiangolo/fastapi/releases/tag/0.109.1)
[Compare Source](https://togithub.com/tiangolo/fastapi/compare/0.109.0...0.109.1)
##### Security fixes
- ⬆️ Upgrade minimum version of `python-multipart` to `>=0.0.7` to fix a vulnerability when using form data with a ReDos attack. You can also simply upgrade `python-multipart`.
Read more in the [advisory: Content-Type Header ReDoS](https://togithub.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389).
##### Features
- ✨ Include HTTP 205 in status codes with no body. PR [#10969](https://togithub.com/tiangolo/fastapi/pull/10969) by [@tiangolo](https://togithub.com/tiangolo).
##### Refactors
- ✅ Refactor tests for duplicate operation ID generation for compatibility with other tools running the FastAPI test suite. PR [#10876](https://togithub.com/tiangolo/fastapi/pull/10876) by [@emmettbutler](https://togithub.com/emmettbutler).
- ♻️ Simplify string format with f-strings in `fastapi/utils.py`. PR [#10576](https://togithub.com/tiangolo/fastapi/pull/10576) by [@eukub](https://togithub.com/eukub).
- 🔧 Fix Ruff configuration unintentionally enabling and re-disabling mccabe complexity check. PR [#10893](https://togithub.com/tiangolo/fastapi/pull/10893) by [@jiridanek](https://togithub.com/jiridanek).
- ✅ Re-enable test in `tests/test_tutorial/test_header_params/test_tutorial003.py` after fix in Starlette. PR [#10904](https://togithub.com/tiangolo/fastapi/pull/10904) by [@ooknimm](https://togithub.com/ooknimm).
##### Docs
- 📝 Tweak wording in `help-fastapi.md`. PR [#11040](https://togithub.com/tiangolo/fastapi/pull/11040) by [@tiangolo](https://togithub.com/tiangolo).
- 📝 Tweak docs for Behind a Proxy. PR [#11038](https://togithub.com/tiangolo/fastapi/pull/11038) by [@tiangolo](https://togithub.com/tiangolo).
- 📝 Add External Link: 10 Tips for adding SQLAlchemy to FastAPI. PR [#11036](https://togithub.com/tiangolo/fastapi/pull/11036) by [@Donnype](https://togithub.com/Donnype).
- 📝 Add External Link: Tips on migrating from Flask to FastAPI and vice-versa. PR [#11029](https://togithub.com/tiangolo/fastapi/pull/11029) by [@jtemporal](https://togithub.com/jtemporal).
- 📝 Deprecate old tutorials: Peewee, Couchbase, encode/databases. PR [#10979](https://togithub.com/tiangolo/fastapi/pull/10979) by [@tiangolo](https://togithub.com/tiangolo).
- ✏️ Fix typo in `fastapi/security/oauth2.py`. PR [#10972](https://togithub.com/tiangolo/fastapi/pull/10972) by [@RafalSkolasinski](https://togithub.com/RafalSkolasinski).
- 📝 Update `HTTPException` details in `docs/en/docs/tutorial/handling-errors.md`. PR [#5418](https://togithub.com/tiangolo/fastapi/pull/5418) by [@papb](https://togithub.com/papb).
- ✏️ A few tweaks in `docs/de/docs/tutorial/first-steps.md`. PR [#10959](https://togithub.com/tiangolo/fastapi/pull/10959) by [@nilslindemann](https://togithub.com/nilslindemann).
- ✏️ Fix link in `docs/en/docs/advanced/async-tests.md`. PR [#10960](https://togithub.com/tiangolo/fastapi/pull/10960) by [@nilslindemann](https://togithub.com/nilslindemann).
- ✏️ Fix typos for Spanish documentation. PR [#10957](https://togithub.com/tiangolo/fastapi/pull/10957) by [@jlopezlira](https://togithub.com/jlopezlira).
- 📝 Add warning about lifespan functions and backwards compatibility with events. PR [#10734](https://togithub.com/tiangolo/fastapi/pull/10734) by [@jacob-indigo](https://togithub.com/jacob-indigo).
- ✏️ Fix broken link in `docs/tutorial/sql-databases.md` in several languages. PR [#10716](https://togithub.com/tiangolo/fastapi/pull/10716) by [@theoohoho](https://togithub.com/theoohoho).
- ✏️ Remove broken links from `external_links.yml`. PR [#10943](https://togithub.com/tiangolo/fastapi/pull/10943) by [@Torabek](https://togithub.com/Torabek).
- 📝 Update template docs with more info about `url_for`. PR [#5937](https://togithub.com/tiangolo/fastapi/pull/5937) by [@EzzEddin](https://togithub.com/EzzEddin).
- 📝 Update usage of Token model in security docs. PR [#9313](https://togithub.com/tiangolo/fastapi/pull/9313) by [@piotrszacilowski](https://togithub.com/piotrszacilowski).
- ✏️ Update highlighted line in `docs/en/docs/tutorial/bigger-applications.md`. PR [#5490](https://togithub.com/tiangolo/fastapi/pull/5490) by [@papb](https://togithub.com/papb).
- 📝 Add External Link: Explore How to Effectively Use JWT With FastAPI. PR [#10212](https://togithub.com/tiangolo/fastapi/pull/10212) by [@aanchlia](https://togithub.com/aanchlia).
- 📝 Add hyperlink to `docs/en/docs/tutorial/static-files.md`. PR [#10243](https://togithub.com/tiangolo/fastapi/pull/10243) by [@hungtsetse](https://togithub.com/hungtsetse).
- 📝 Add External Link: Instrument a FastAPI service adding tracing with OpenTelemetry and send/show traces in Grafana Tempo. PR [#9440](https://togithub.com/tiangolo/fastapi/pull/9440) by [@softwarebloat](https://togithub.com/softwarebloat).
- 📝 Review and rewording of `en/docs/contributing.md`. PR [#10480](https://togithub.com/tiangolo/fastapi/pull/10480) by [@nilslindemann](https://togithub.com/nilslindemann).
- 📝 Add External Link: ML serving and monitoring with FastAPI and Evidently. PR [#9701](https://togithub.com/tiangolo/fastapi/pull/9701) by [@mnrozhkov](https://togithub.com/mnrozhkov).
- 📝 Reword in docs, from "have in mind" to "keep in mind". PR [#10376](https://togithub.com/tiangolo/fastapi/pull/10376) by [@malicious](https://togithub.com/malicious).
- 📝 Add External Link: Talk by Jeny Sadadia. PR [#10265](https://togithub.com/tiangolo/fastapi/pull/10265) by [@JenySadadia](https://togithub.com/JenySadadia).
- 📝 Add location info to `tutorial/bigger-applications.md`. PR [#10552](https://togithub.com/tiangolo/fastapi/pull/10552) by [@nilslindemann](https://togithub.com/nilslindemann).
- ✏️ Fix Pydantic method name in `docs/en/docs/advanced/path-operation-advanced-configuration.md`. PR [#10826](https://togithub.com/tiangolo/fastapi/pull/10826) by [@ahmedabdou14](https://togithub.com/ahmedabdou14).
##### Translations
- 🌐 Add Spanish translation for `docs/es/docs/external-links.md`. PR [#10933](https://togithub.com/tiangolo/fastapi/pull/10933) by [@pablocm83](https://togithub.com/pablocm83).
- 🌐 Update Korean translation for `docs/ko/docs/tutorial/first-steps.md`, `docs/ko/docs/tutorial/index.md`, `docs/ko/docs/tutorial/path-params.md`, and `docs/ko/docs/tutorial/query-params.md`. PR [#4218](https://togithub.com/tiangolo/fastapi/pull/4218) by [@SnowSuno](https://togithub.com/SnowSuno).
- 🌐 Add Chinese translation for `docs/zh/docs/tutorial/dependencies/dependencies-with-yield.md`. PR [#10870](https://togithub.com/tiangolo/fastapi/pull/10870) by [@zhiquanchi](https://togithub.com/zhiquanchi).
- 🌐 Add Chinese translation for `docs/zh/docs/deployment/concepts.md`. PR [#10282](https://togithub.com/tiangolo/fastapi/pull/10282) by [@xzmeng](https://togithub.com/xzmeng).
- 🌐 Add Azerbaijani translation for `docs/az/docs/index.md`. PR [#11047](https://togithub.com/tiangolo/fastapi/pull/11047) by [@aykhans](https://togithub.com/aykhans).
- 🌐 Add Korean translation for `docs/ko/docs/tutorial/middleware.md`. PR [#2829](https://togithub.com/tiangolo/fastapi/pull/2829) by [@JeongHyeongKim](https://togithub.com/JeongHyeongKim).
- 🌐 Add German translation for `docs/de/docs/tutorial/body-nested-models.md`. PR [#10313](https://togithub.com/tiangolo/fastapi/pull/10313) by [@nilslindemann](https://togithub.com/nilslindemann).
- 🌐 Add Persian translation for `docs/fa/docs/tutorial/middleware.md`. PR [#9695](https://togithub.com/tiangolo/fastapi/pull/9695) by [@mojtabapaso](https://togithub.com/mojtabapaso).
- 🌐 Update Farsi translation for `docs/fa/docs/index.md`. PR [#10216](https://togithub.com/tiangolo/fastapi/pull/10216) by [@theonlykingpin](https://togithub.com/theonlykingpin).
- 🌐 Add German translation for `docs/de/docs/tutorial/body-fields.md`. PR [#10310](https://togithub.com/tiangolo/fastapi/pull/10310) by [@nilslindemann](https://togithub.com/nilslindemann).
- 🌐 Add German translation for `docs/de/docs/tutorial/body.md`. PR [#10295](https://togithub.com/tiangolo/fastapi/pull/10295) by [@nilslindemann](https://togithub.com/nilslindemann).
- 🌐 Add German translation for `docs/de/docs/tutorial/body-multiple-params.md`. PR [#10308](https://togithub.com/tiangolo/fastapi/pull/10308) by [@nilslindemann](https://togithub.com/nilslindemann).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/security/get-current-user.md`. PR [#2681](https://togithub.com/tiangolo/fastapi/pull/2681) by [@sh0nk](https://togithub.com/sh0nk).
- 🌐 Add Chinese translation for `docs/zh/docs/advanced/advanced-dependencies.md`. PR [#3798](https://togithub.com/tiangolo/fastapi/pull/3798) by [@jaystone776](https://togithub.com/jaystone776).
- 🌐 Add Chinese translation for `docs/zh/docs/advanced/events.md`. PR [#3815](https://togithub.com/tiangolo/fastapi/pull/3815) by [@jaystone776](https://togithub.com/jaystone776).
- 🌐 Add Chinese translation for `docs/zh/docs/advanced/behind-a-proxy.md`. PR [#3820](https://togithub.com/tiangolo/fastapi/pull/3820) by [@jaystone776](https://togithub.com/jaystone776).
- 🌐 Add Chinese translation for `docs/zh/docs/advanced/testing-events.md`. PR [#3818](https://togithub.com/tiangolo/fastapi/pull/3818) by [@jaystone776](https://togithub.com/jaystone776).
- 🌐 Add Chinese translation for `docs/zh/docs/advanced/testing-websockets.md`. PR [#3817](https://togithub.com/tiangolo/fastapi/pull/3817) by [@jaystone776](https://togithub.com/jaystone776).
- 🌐 Add Chinese translation for `docs/zh/docs/advanced/testing-database.md`. PR [#3821](https://togithub.com/tiangolo/fastapi/pull/3821) by [@jaystone776](https://togithub.com/jaystone776).
- 🌐 Add Chinese translation for `docs/zh/docs/deployment/deta.md`. PR [#3837](https://togithub.com/tiangolo/fastapi/pull/3837) by [@jaystone776](https://togithub.com/jaystone776).
- 🌐 Add Chinese translation for `docs/zh/docs/history-design-future.md`. PR [#3832](https://togithub.com/tiangolo/fastapi/pull/3832) by [@jaystone776](https://togithub.com/jaystone776).
- 🌐 Add Chinese translation for `docs/zh/docs/project-generation.md`. PR [#3831](https://togithub.com/tiangolo/fastapi/pull/3831) by [@jaystone776](https://togithub.com/jaystone776).
- 🌐 Add Chinese translation for `docs/zh/docs/deployment/docker.md`. PR [#10296](https://togithub.com/tiangolo/fastapi/pull/10296) by [@xzmeng](https://togithub.com/xzmeng).
- 🌐 Update Spanish translation for `docs/es/docs/features.md`. PR [#10884](https://togithub.com/tiangolo/fastapi/pull/10884) by [@pablocm83](https://togithub.com/pablocm83).
- 🌐 Add Spanish translation for `docs/es/docs/newsletter.md`. PR [#10922](https://togithub.com/tiangolo/fastapi/pull/10922) by [@pablocm83](https://togithub.com/pablocm83).
- 🌐 Add Korean translation for `docs/ko/docs/tutorial/background-tasks.md`. PR [#5910](https://togithub.com/tiangolo/fastapi/pull/5910) by [@junah201](https://togithub.com/junah201).
- :globe_with_meridians: Add Turkish translation for `docs/tr/docs/alternatives.md`. PR [#10502](https://togithub.com/tiangolo/fastapi/pull/10502) by [@alperiox](https://togithub.com/alperiox).
- 🌐 Add Korean translation for `docs/ko/docs/tutorial/dependencies/index.md`. PR [#10989](https://togithub.com/tiangolo/fastapi/pull/10989) by [@KaniKim](https://togithub.com/KaniKim).
- 🌐 Add Korean translation for `/docs/ko/docs/tutorial/body.md`. PR [#11000](https://togithub.com/tiangolo/fastapi/pull/11000) by [@KaniKim](https://togithub.com/KaniKim).
- 🌐 Add Portuguese translation for `docs/pt/docs/tutorial/schema-extra-example.md`. PR [#4065](https://togithub.com/tiangolo/fastapi/pull/4065) by [@luccasmmg](https://togithub.com/luccasmmg).
- 🌐 Add Turkish translation for `docs/tr/docs/history-design-future.md`. PR [#11012](https://togithub.com/tiangolo/fastapi/pull/11012) by [@hasansezertasan](https://togithub.com/hasansezertasan).
- 🌐 Add Turkish translation for `docs/tr/docs/resources/index.md`. PR [#11020](https://togithub.com/tiangolo/fastapi/pull/11020) by [@hasansezertasan](https://togithub.com/hasansezertasan).
- 🌐 Add Turkish translation for `docs/tr/docs/how-to/index.md`. PR [#11021](https://togithub.com/tiangolo/fastapi/pull/11021) by [@hasansezertasan](https://togithub.com/hasansezertasan).
- 🌐 Add German translation for `docs/de/docs/tutorial/query-params.md`. PR [#10293](https://togithub.com/tiangolo/fastapi/pull/10293) by [@nilslindemann](https://togithub.com/nilslindemann).
- 🌐 Add German translation for `docs/de/docs/benchmarks.md`. PR [#10866](https://togithub.com/tiangolo/fastapi/pull/10866) by [@nilslindemann](https://togithub.com/nilslindemann).
- 🌐 Add Turkish translation for `docs/tr/docs/learn/index.md`. PR [#11014](https://togithub.com/tiangolo/fastapi/pull/11014) by [@hasansezertasan](https://togithub.com/hasansezertasan).
- 🌐 Add Persian translation for `docs/fa/docs/tutorial/security/index.md`. PR [#9945](https://togithub.com/tiangolo/fastapi/pull/9945) by [@mojtabapaso](https://togithub.com/mojtabapaso).
- 🌐 Add Turkish translation for `docs/tr/docs/help/index.md`. PR [#11013](https://togithub.com/tiangolo/fastapi/pull/11013) by [@hasansezertasan](https://togithub.com/hasansezertasan).
- 🌐 Add Turkish translation for `docs/tr/docs/about/index.md`. PR [#11006](https://togithub.com/tiangolo/fastapi/pull/11006) by [@hasansezertasan](https://togithub.com/hasansezertasan).
- 🌐 Update Turkish translation for `docs/tr/docs/benchmarks.md`. PR [#11005](https://togithub.com/tiangolo/fastapi/pull/11005) by [@hasansezertasan](https://togithub.com/hasansezertasan).
- 🌐 Add Italian translation for `docs/it/docs/index.md`. PR [#5233](https://togithub.com/tiangolo/fastapi/pull/5233) by [@matteospanio](https://togithub.com/matteospanio).
- 🌐 Add Korean translation for `docs/ko/docs/help/index.md`. PR [#10983](https://togithub.com/tiangolo/fastapi/pull/10983) by [@KaniKim](https://togithub.com/KaniKim).
- 🌐 Add Korean translation for `docs/ko/docs/features.md`. PR [#10976](https://togithub.com/tiangolo/fastapi/pull/10976) by [@KaniKim](https://togithub.com/KaniKim).
- 🌐 Add Korean translation for `docs/ko/docs/tutorial/security/get-current-user.md`. PR [#5737](https://togithub.com/tiangolo/fastapi/pull/5737) by [@KdHyeon0661](https://togithub.com/KdHyeon0661).
- 🌐 Add Russian translation for `docs/ru/docs/tutorial/security/first-steps.md`. PR [#10541](https://togithub.com/tiangolo/fastapi/pull/10541) by [@AlertRED](https://togithub.com/AlertRED).
- 🌐 Add Russian translation for `docs/ru/docs/tutorial/handling-errors.md`. PR [#10375](https://togithub.com/tiangolo/fastapi/pull/10375) by [@AlertRED](https://togithub.com/AlertRED).
- 🌐 Add Russian translation for `docs/ru/docs/tutorial/encoder.md`. PR [#10374](https://togithub.com/tiangolo/fastapi/pull/10374) by [@AlertRED](https://togithub.com/AlertRED).
- 🌐 Add Russian translation for `docs/ru/docs/tutorial/body-updates.md`. PR [#10373](https://togithub.com/tiangolo/fastapi/pull/10373) by [@AlertRED](https://togithub.com/AlertRED).
- 🌐 Russian translation: updated `fastapi-people.md`.. PR [#10255](https://togithub.com/tiangolo/fastapi/pull/10255) by [@NiKuma0](https://togithub.com/NiKuma0).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/security/index.md`. PR [#5798](https://togithub.com/tiangolo/fastapi/pull/5798) by [@3w36zj6](https://togithub.com/3w36zj6).
- 🌐 Add German translation for `docs/de/docs/advanced/generate-clients.md`. PR [#10725](https://togithub.com/tiangolo/fastapi/pull/10725) by [@nilslindemann](https://togithub.com/nilslindemann).
- 🌐 Add German translation for `docs/de/docs/advanced/openapi-webhooks.md`. PR [#10712](https://togithub.com/tiangolo/fastapi/pull/10712) by [@nilslindemann](https://togithub.com/nilslindemann).
- 🌐 Add German translation for `docs/de/docs/advanced/custom-response.md`. PR [#10624](https://togithub.com/tiangolo/fastapi/pull/10624) by [@nilslindemann](https://togithub.com/nilslindemann).
- 🌐 Add German translation for `docs/de/docs/advanced/additional-status-codes.md`. PR [#10617](https://togithub.com/tiangolo/fastapi/pull/10617) by [@nilslindemann](https://togithub.com/nilslindemann).
- 🌐 Add German translation for `docs/de/docs/tutorial/middleware.md`. PR [#10391](https://togithub.com/tiangolo/fastapi/pull/10391) by [@JohannesJungbluth](https://togithub.com/JohannesJungbluth).
- 🌐 Add German translation for introduction documents. PR [#10497](https://togithub.com/tiangolo/fastapi/pull/10497) by [@nilslindemann](https://togithub.com/nilslindemann).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/encoder.md`. PR [#1955](https://togithub.com/tiangolo/fastapi/pull/1955) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/extra-data-types.md`. PR [#1932](https://togithub.com/tiangolo/fastapi/pull/1932) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Turkish translation for `docs/tr/docs/async.md`. PR [#5191](https://togithub.com/tiangolo/fastapi/pull/5191) by [@BilalAlpaslan](https://togithub.com/BilalAlpaslan).
- 🌐 Add Turkish translation for `docs/tr/docs/project-generation.md`. PR [#5192](https://togithub.com/tiangolo/fastapi/pull/5192) by [@BilalAlpaslan](https://togithub.com/BilalAlpaslan).
- 🌐 Add Korean translation for `docs/ko/docs/deployment/docker.md`. PR [#5657](https://togithub.com/tiangolo/fastapi/pull/5657) by [@nearnear](https://togithub.com/nearnear).
- 🌐 Add Korean translation for `docs/ko/docs/deployment/server-workers.md`. PR [#4935](https://togithub.com/tiangolo/fastapi/pull/4935) by [@jujumilk3](https://togithub.com/jujumilk3).
- 🌐 Add Korean translation for `docs/ko/docs/deployment/index.md`. PR [#4561](https://togithub.com/tiangolo/fastapi/pull/4561) by [@jujumilk3](https://togithub.com/jujumilk3).
- 🌐 Add Korean translation for `docs/ko/docs/tutorial/path-operation-configuration.md`. PR [#3639](https://togithub.com/tiangolo/fastapi/pull/3639) by [@jungsu-kwon](https://togithub.com/jungsu-kwon).
- 🌐 Modify the description of `zh` - Traditional Chinese. PR [#10889](https://togithub.com/tiangolo/fastapi/pull/10889) by [@cherinyy](https://togithub.com/cherinyy).
- 🌐 Add Korean translation for `docs/ko/docs/tutorial/static-files.md`. PR [#2957](https://togithub.com/tiangolo/fastapi/pull/2957) by [@jeesang7](https://togithub.com/jeesang7).
- 🌐 Add Korean translation for `docs/ko/docs/tutorial/response-model.md`. PR [#2766](https://togithub.com/tiangolo/fastapi/pull/2766) by [@hard-coders](https://togithub.com/hard-coders).
- 🌐 Add Korean translation for `docs/ko/docs/tutorial/body-multiple-params.md`. PR [#2461](https://togithub.com/tiangolo/fastapi/pull/2461) by [@PandaHun](https://togithub.com/PandaHun).
- 🌐 Add Korean translation for `docs/ko/docs/tutorial/query-params-str-validations.md`. PR [#2415](https://togithub.com/tiangolo/fastapi/pull/2415) by [@hard-coders](https://togithub.com/hard-coders).
- 🌐 Add Korean translation for `docs/ko/docs/python-types.md`. PR [#2267](https://togithub.com/tiangolo/fastapi/pull/2267) by [@jrim](https://togithub.com/jrim).
- 🌐 Add Korean translation for `docs/ko/docs/tutorial/body-nested-models.md`. PR [#2506](https://togithub.com/tiangolo/fastapi/pull/2506) by [@hard-coders](https://togithub.com/hard-coders).
- 🌐 Add Korean translation for `docs/ko/docs/learn/index.md`. PR [#10977](https://togithub.com/tiangolo/fastapi/pull/10977) by [@KaniKim](https://togithub.com/KaniKim).
- 🌐 Initialize translations for Traditional Chinese. PR [#10505](https://togithub.com/tiangolo/fastapi/pull/10505) by [@hsuanchi](https://togithub.com/hsuanchi).
- ✏️ Tweak the german translation of `docs/de/docs/tutorial/index.md`. PR [#10962](https://togithub.com/tiangolo/fastapi/pull/10962) by [@nilslindemann](https://togithub.com/nilslindemann).
- ✏️ Fix typo error in `docs/ko/docs/tutorial/path-params.md`. PR [#10758](https://togithub.com/tiangolo/fastapi/pull/10758) by [@2chanhaeng](https://togithub.com/2chanhaeng).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/dependencies/dependencies-with-yield.md`. PR [#1961](https://togithub.com/tiangolo/fastapi/pull/1961) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/dependencies/dependencies-in-path-operation-decorators.md`. PR [#1960](https://togithub.com/tiangolo/fastapi/pull/1960) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/dependencies/sub-dependencies.md`. PR [#1959](https://togithub.com/tiangolo/fastapi/pull/1959) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/background-tasks.md`. PR [#2668](https://togithub.com/tiangolo/fastapi/pull/2668) by [@tokusumi](https://togithub.com/tokusumi).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/dependencies/index.md` and `docs/ja/docs/tutorial/dependencies/classes-as-dependencies.md`. PR [#1958](https://togithub.com/tiangolo/fastapi/pull/1958) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/response-model.md`. PR [#1938](https://togithub.com/tiangolo/fastapi/pull/1938) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/body-multiple-params.md`. PR [#1903](https://togithub.com/tiangolo/fastapi/pull/1903) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/path-params-numeric-validations.md`. PR [#1902](https://togithub.com/tiangolo/fastapi/pull/1902) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/python-types.md`. PR [#1899](https://togithub.com/tiangolo/fastapi/pull/1899) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/handling-errors.md`. PR [#1953](https://togithub.com/tiangolo/fastapi/pull/1953) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/response-status-code.md`. PR [#1942](https://togithub.com/tiangolo/fastapi/pull/1942) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/extra-models.md`. PR [#1941](https://togithub.com/tiangolo/fastapi/pull/1941) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese tranlsation for `docs/ja/docs/tutorial/schema-extra-example.md`. PR [#1931](https://togithub.com/tiangolo/fastapi/pull/1931) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/body-nested-models.md`. PR [#1930](https://togithub.com/tiangolo/fastapi/pull/1930) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add Japanese translation for `docs/ja/docs/tutorial/body-fields.md`. PR [#1923](https://togithub.com/tiangolo/fastapi/pull/1923) by [@SwftAlpc](https://togithub.com/SwftAlpc).
- 🌐 Add German translation for `docs/de/docs/tutorial/index.md`. PR [#9502](https://togithub.com/tiangolo/fastapi/pull/9502) by [@fhabers21](https://togithub.com/fhabers21).
- 🌐 Add German translation for `docs/de/docs/tutorial/background-tasks.md`. PR [#10566](https://togithub.com/tiangolo/fastapi/pull/10566) by [@nilslindemann](https://togithub.com/nilslindemann).
- ✏️ Fix typo in `docs/ru/docs/index.md`. PR [#10672](https://togithub.com/tiangolo/fastapi/pull/10672) by [@Delitel-WEB](https://togithub.com/Delitel-WEB).
- ✏️ Fix typos in `docs/zh/docs/tutorial/extra-data-types.md`. PR [#10727](https://togithub.com/tiangolo/fastapi/pull/10727) by [@HiemalBeryl](https://togithub.com/HiemalBeryl).
- 🌐 Add Russian translation for `docs/ru/docs/tutorial/dependencies/classes-as-dependencies.md`. PR [#10410](https://togithub.com/tiangolo/fastapi/pull/10410) by [@AlertRED](https://togithub.com/AlertRED).
##### Internal
- 👥 Update FastAPI People. PR [#11074](https://togithub.com/tiangolo/fastapi/pull/11074) by [@tiangolo](https://togithub.com/tiangolo).
- 🔧 Update sponsors: add Coherence. PR [#11066](https://togithub.com/tiangolo/fastapi/pull/11066) by [@tiangolo](https://togithub.com/tiangolo).
- 👷 Upgrade GitHub Action issue-manager. PR [#11056](https://togithub.com/tiangolo/fastapi/pull/11056) by [@tiangolo](https://togithub.com/tiangolo).
- 🍱 Update sponsors: TalkPython badge. PR [#11052](https://togithub.com/tiangolo/fastapi/pull/11052) by [@tiangolo](https://togithub.com/tiangolo).
- 🔧 Update sponsors: TalkPython badge image. PR [#11048](https://togithub.com/tiangolo/fastapi/pull/11048) by [@tiangolo](https://togithub.com/tiangolo).
- 🔧 Update sponsors, remove Deta. PR [#11041](https://togithub.com/tiangolo/fastapi/pull/11041) by [@tiangolo](https://togithub.com/tiangolo).
- 💄 Fix CSS breaking RTL languages (erroneously introduced by a previous RTL PR). PR [#11039](https://togithub.com/tiangolo/fastapi/pull/11039) by [@tiangolo](https://togithub.com/tiangolo).
- 🔧 Add Italian to `mkdocs.yml`. PR [#11016](https://togithub.com/tiangolo/fastapi/pull/11016) by [@alejsdev](https://togithub.com/alejsdev).
- 🔨 Verify `mkdocs.yml` languages in CI, update `docs.py`. PR [#11009](https://togithub.com/tiangolo/fastapi/pull/11009) by [@tiangolo](https://togithub.com/tiangolo).
- 🔧 Update config in `label-approved.yml` to accept translations with 1 reviewer. PR [#11007](https://togithub.com/tiangolo/fastapi/pull/11007) by [@alejsdev](https://togithub.com/alejsdev).
- 👷 Add changes-requested handling in GitHub Action issue manager. PR [#10971](https://togithub.com/tiangolo/fastapi/pull/10971) by [@tiangolo](https://togithub.com/tiangolo).
- 🔧 Group dependencies on dependabot updates. PR [#10952](https://togithub.com/tiangolo/fastapi/pull/10952) by [@Kludex](https://togithub.com/Kludex).
- ⬆ Bump actions/setup-python from 4 to 5. PR [#10764](https://togithub.com/tiangolo/fastapi/pull/10764) by [@dependabot\[bot\]](https://togithub.com/apps/dependabot).
- ⬆ Bump pypa/gh-action-pypi-publish from 1.8.10 to 1.8.11. PR [#10731](https://togithub.com/tiangolo/fastapi/pull/10731) by [@dependabot\[bot\]](https://togithub.com/apps/dependabot).
- ⬆ Bump dawidd6/action-download-artifact from 2.28.0 to 3.0.0. PR [#10777](https://togithub.com/tiangolo/fastapi/pull/10777) by [@dependabot\[bot\]](https://togithub.com/apps/dependabot).
- 🔧 Add support for translations to languages with a longer code name, like `zh-hant`. PR [#10950](https://togithub.com/tiangolo/fastapi/pull/10950) by [@tiangolo](https://togithub.com/tiangolo).
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
==0.109.0
->==0.109.1
GitHub Vulnerability Alerts
CVE-2024-24762
Summary
When using form data,
python-multipart
uses a Regular Expression to parse the HTTPContent-Type
header, including options.An attacker could send a custom-made
Content-Type
option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
This only applies when the app uses form data, parsed with
python-multipart
.Details
A regular HTTP
Content-Type
header could look like:python-multipart
parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74A custom option could be made and sent to the server to break it with:
This is also reported to Starlette at: https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238
PoC
Create a FastAPI app that uses form data:
Then start it with:
Then send the attacking request with:
Stopping it
Because that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with
Ctrl+C
as it can't handle the signal.To stop it, first check the process ID running Uvicorn:
In this case, the process ID was
59461
, then you can kill it (forcefully, with-9
) with:Impact
It's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using
python-multipart
. This way it also affects other libraries using Starlette, like FastAPI.Original Report
This was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r
Original report to FastAPI
Hey Tiangolo! My name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON). Here are the details: I'm using the latest version of FastAPI (0.109.0) and the following code: ```Python from typing import Annotated from fastapi.responses import HTMLResponse from fastapi import FastAPI,Form from pydantic import BaseModel class Item(BaseModel): username: str app = FastAPI() @app.get("/", response_class=HTMLResponse) async def index(): return HTMLResponse("Test", status_code=200) @app.post("/submit/") async def submit(username: Annotated[str, Form()]): return {"username": username} @app.post("/submit_json/") async def submit_json(item: Item): return {"username": item.username} ``` I'm running the above with uvicorn with the following command: ```console uvicorn server:app ``` Then run the following cUrl command: ``` curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/' ``` You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100% You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server. If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data. Cheers #### Impact An attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data. #### Occurrences [params.py L586](https://togithub.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)Release Notes
tiangolo/fastapi (fastapi)
### [`v0.109.1`](https://togithub.com/tiangolo/fastapi/releases/tag/0.109.1) [Compare Source](https://togithub.com/tiangolo/fastapi/compare/0.109.0...0.109.1) ##### Security fixes - ⬆️ Upgrade minimum version of `python-multipart` to `>=0.0.7` to fix a vulnerability when using form data with a ReDos attack. You can also simply upgrade `python-multipart`. Read more in the [advisory: Content-Type Header ReDoS](https://togithub.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389). ##### Features - ✨ Include HTTP 205 in status codes with no body. PR [#10969](https://togithub.com/tiangolo/fastapi/pull/10969) by [@tiangolo](https://togithub.com/tiangolo). ##### Refactors - ✅ Refactor tests for duplicate operation ID generation for compatibility with other tools running the FastAPI test suite. PR [#10876](https://togithub.com/tiangolo/fastapi/pull/10876) by [@emmettbutler](https://togithub.com/emmettbutler). - ♻️ Simplify string format with f-strings in `fastapi/utils.py`. PR [#10576](https://togithub.com/tiangolo/fastapi/pull/10576) by [@eukub](https://togithub.com/eukub). - 🔧 Fix Ruff configuration unintentionally enabling and re-disabling mccabe complexity check. PR [#10893](https://togithub.com/tiangolo/fastapi/pull/10893) by [@jiridanek](https://togithub.com/jiridanek). - ✅ Re-enable test in `tests/test_tutorial/test_header_params/test_tutorial003.py` after fix in Starlette. PR [#10904](https://togithub.com/tiangolo/fastapi/pull/10904) by [@ooknimm](https://togithub.com/ooknimm). ##### Docs - 📝 Tweak wording in `help-fastapi.md`. PR [#11040](https://togithub.com/tiangolo/fastapi/pull/11040) by [@tiangolo](https://togithub.com/tiangolo). - 📝 Tweak docs for Behind a Proxy. PR [#11038](https://togithub.com/tiangolo/fastapi/pull/11038) by [@tiangolo](https://togithub.com/tiangolo). - 📝 Add External Link: 10 Tips for adding SQLAlchemy to FastAPI. PR [#11036](https://togithub.com/tiangolo/fastapi/pull/11036) by [@Donnype](https://togithub.com/Donnype). - 📝 Add External Link: Tips on migrating from Flask to FastAPI and vice-versa. PR [#11029](https://togithub.com/tiangolo/fastapi/pull/11029) by [@jtemporal](https://togithub.com/jtemporal). - 📝 Deprecate old tutorials: Peewee, Couchbase, encode/databases. PR [#10979](https://togithub.com/tiangolo/fastapi/pull/10979) by [@tiangolo](https://togithub.com/tiangolo). - ✏️ Fix typo in `fastapi/security/oauth2.py`. PR [#10972](https://togithub.com/tiangolo/fastapi/pull/10972) by [@RafalSkolasinski](https://togithub.com/RafalSkolasinski). - 📝 Update `HTTPException` details in `docs/en/docs/tutorial/handling-errors.md`. PR [#5418](https://togithub.com/tiangolo/fastapi/pull/5418) by [@papb](https://togithub.com/papb). - ✏️ A few tweaks in `docs/de/docs/tutorial/first-steps.md`. PR [#10959](https://togithub.com/tiangolo/fastapi/pull/10959) by [@nilslindemann](https://togithub.com/nilslindemann). - ✏️ Fix link in `docs/en/docs/advanced/async-tests.md`. PR [#10960](https://togithub.com/tiangolo/fastapi/pull/10960) by [@nilslindemann](https://togithub.com/nilslindemann). - ✏️ Fix typos for Spanish documentation. PR [#10957](https://togithub.com/tiangolo/fastapi/pull/10957) by [@jlopezlira](https://togithub.com/jlopezlira). - 📝 Add warning about lifespan functions and backwards compatibility with events. PR [#10734](https://togithub.com/tiangolo/fastapi/pull/10734) by [@jacob-indigo](https://togithub.com/jacob-indigo). - ✏️ Fix broken link in `docs/tutorial/sql-databases.md` in several languages. PR [#10716](https://togithub.com/tiangolo/fastapi/pull/10716) by [@theoohoho](https://togithub.com/theoohoho). - ✏️ Remove broken links from `external_links.yml`. PR [#10943](https://togithub.com/tiangolo/fastapi/pull/10943) by [@Torabek](https://togithub.com/Torabek). - 📝 Update template docs with more info about `url_for`. PR [#5937](https://togithub.com/tiangolo/fastapi/pull/5937) by [@EzzEddin](https://togithub.com/EzzEddin). - 📝 Update usage of Token model in security docs. PR [#9313](https://togithub.com/tiangolo/fastapi/pull/9313) by [@piotrszacilowski](https://togithub.com/piotrszacilowski). - ✏️ Update highlighted line in `docs/en/docs/tutorial/bigger-applications.md`. PR [#5490](https://togithub.com/tiangolo/fastapi/pull/5490) by [@papb](https://togithub.com/papb). - 📝 Add External Link: Explore How to Effectively Use JWT With FastAPI. PR [#10212](https://togithub.com/tiangolo/fastapi/pull/10212) by [@aanchlia](https://togithub.com/aanchlia). - 📝 Add hyperlink to `docs/en/docs/tutorial/static-files.md`. PR [#10243](https://togithub.com/tiangolo/fastapi/pull/10243) by [@hungtsetse](https://togithub.com/hungtsetse). - 📝 Add External Link: Instrument a FastAPI service adding tracing with OpenTelemetry and send/show traces in Grafana Tempo. PR [#9440](https://togithub.com/tiangolo/fastapi/pull/9440) by [@softwarebloat](https://togithub.com/softwarebloat). - 📝 Review and rewording of `en/docs/contributing.md`. PR [#10480](https://togithub.com/tiangolo/fastapi/pull/10480) by [@nilslindemann](https://togithub.com/nilslindemann). - 📝 Add External Link: ML serving and monitoring with FastAPI and Evidently. PR [#9701](https://togithub.com/tiangolo/fastapi/pull/9701) by [@mnrozhkov](https://togithub.com/mnrozhkov). - 📝 Reword in docs, from "have in mind" to "keep in mind". PR [#10376](https://togithub.com/tiangolo/fastapi/pull/10376) by [@malicious](https://togithub.com/malicious). - 📝 Add External Link: Talk by Jeny Sadadia. PR [#10265](https://togithub.com/tiangolo/fastapi/pull/10265) by [@JenySadadia](https://togithub.com/JenySadadia). - 📝 Add location info to `tutorial/bigger-applications.md`. PR [#10552](https://togithub.com/tiangolo/fastapi/pull/10552) by [@nilslindemann](https://togithub.com/nilslindemann). - ✏️ Fix Pydantic method name in `docs/en/docs/advanced/path-operation-advanced-configuration.md`. PR [#10826](https://togithub.com/tiangolo/fastapi/pull/10826) by [@ahmedabdou14](https://togithub.com/ahmedabdou14). ##### Translations - 🌐 Add Spanish translation for `docs/es/docs/external-links.md`. PR [#10933](https://togithub.com/tiangolo/fastapi/pull/10933) by [@pablocm83](https://togithub.com/pablocm83). - 🌐 Update Korean translation for `docs/ko/docs/tutorial/first-steps.md`, `docs/ko/docs/tutorial/index.md`, `docs/ko/docs/tutorial/path-params.md`, and `docs/ko/docs/tutorial/query-params.md`. PR [#4218](https://togithub.com/tiangolo/fastapi/pull/4218) by [@SnowSuno](https://togithub.com/SnowSuno). - 🌐 Add Chinese translation for `docs/zh/docs/tutorial/dependencies/dependencies-with-yield.md`. PR [#10870](https://togithub.com/tiangolo/fastapi/pull/10870) by [@zhiquanchi](https://togithub.com/zhiquanchi). - 🌐 Add Chinese translation for `docs/zh/docs/deployment/concepts.md`. PR [#10282](https://togithub.com/tiangolo/fastapi/pull/10282) by [@xzmeng](https://togithub.com/xzmeng). - 🌐 Add Azerbaijani translation for `docs/az/docs/index.md`. PR [#11047](https://togithub.com/tiangolo/fastapi/pull/11047) by [@aykhans](https://togithub.com/aykhans). - 🌐 Add Korean translation for `docs/ko/docs/tutorial/middleware.md`. PR [#2829](https://togithub.com/tiangolo/fastapi/pull/2829) by [@JeongHyeongKim](https://togithub.com/JeongHyeongKim). - 🌐 Add German translation for `docs/de/docs/tutorial/body-nested-models.md`. PR [#10313](https://togithub.com/tiangolo/fastapi/pull/10313) by [@nilslindemann](https://togithub.com/nilslindemann). - 🌐 Add Persian translation for `docs/fa/docs/tutorial/middleware.md`. PR [#9695](https://togithub.com/tiangolo/fastapi/pull/9695) by [@mojtabapaso](https://togithub.com/mojtabapaso). - 🌐 Update Farsi translation for `docs/fa/docs/index.md`. PR [#10216](https://togithub.com/tiangolo/fastapi/pull/10216) by [@theonlykingpin](https://togithub.com/theonlykingpin). - 🌐 Add German translation for `docs/de/docs/tutorial/body-fields.md`. PR [#10310](https://togithub.com/tiangolo/fastapi/pull/10310) by [@nilslindemann](https://togithub.com/nilslindemann). - 🌐 Add German translation for `docs/de/docs/tutorial/body.md`. PR [#10295](https://togithub.com/tiangolo/fastapi/pull/10295) by [@nilslindemann](https://togithub.com/nilslindemann). - 🌐 Add German translation for `docs/de/docs/tutorial/body-multiple-params.md`. PR [#10308](https://togithub.com/tiangolo/fastapi/pull/10308) by [@nilslindemann](https://togithub.com/nilslindemann). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/security/get-current-user.md`. PR [#2681](https://togithub.com/tiangolo/fastapi/pull/2681) by [@sh0nk](https://togithub.com/sh0nk). - 🌐 Add Chinese translation for `docs/zh/docs/advanced/advanced-dependencies.md`. PR [#3798](https://togithub.com/tiangolo/fastapi/pull/3798) by [@jaystone776](https://togithub.com/jaystone776). - 🌐 Add Chinese translation for `docs/zh/docs/advanced/events.md`. PR [#3815](https://togithub.com/tiangolo/fastapi/pull/3815) by [@jaystone776](https://togithub.com/jaystone776). - 🌐 Add Chinese translation for `docs/zh/docs/advanced/behind-a-proxy.md`. PR [#3820](https://togithub.com/tiangolo/fastapi/pull/3820) by [@jaystone776](https://togithub.com/jaystone776). - 🌐 Add Chinese translation for `docs/zh/docs/advanced/testing-events.md`. PR [#3818](https://togithub.com/tiangolo/fastapi/pull/3818) by [@jaystone776](https://togithub.com/jaystone776). - 🌐 Add Chinese translation for `docs/zh/docs/advanced/testing-websockets.md`. PR [#3817](https://togithub.com/tiangolo/fastapi/pull/3817) by [@jaystone776](https://togithub.com/jaystone776). - 🌐 Add Chinese translation for `docs/zh/docs/advanced/testing-database.md`. PR [#3821](https://togithub.com/tiangolo/fastapi/pull/3821) by [@jaystone776](https://togithub.com/jaystone776). - 🌐 Add Chinese translation for `docs/zh/docs/deployment/deta.md`. PR [#3837](https://togithub.com/tiangolo/fastapi/pull/3837) by [@jaystone776](https://togithub.com/jaystone776). - 🌐 Add Chinese translation for `docs/zh/docs/history-design-future.md`. PR [#3832](https://togithub.com/tiangolo/fastapi/pull/3832) by [@jaystone776](https://togithub.com/jaystone776). - 🌐 Add Chinese translation for `docs/zh/docs/project-generation.md`. PR [#3831](https://togithub.com/tiangolo/fastapi/pull/3831) by [@jaystone776](https://togithub.com/jaystone776). - 🌐 Add Chinese translation for `docs/zh/docs/deployment/docker.md`. PR [#10296](https://togithub.com/tiangolo/fastapi/pull/10296) by [@xzmeng](https://togithub.com/xzmeng). - 🌐 Update Spanish translation for `docs/es/docs/features.md`. PR [#10884](https://togithub.com/tiangolo/fastapi/pull/10884) by [@pablocm83](https://togithub.com/pablocm83). - 🌐 Add Spanish translation for `docs/es/docs/newsletter.md`. PR [#10922](https://togithub.com/tiangolo/fastapi/pull/10922) by [@pablocm83](https://togithub.com/pablocm83). - 🌐 Add Korean translation for `docs/ko/docs/tutorial/background-tasks.md`. PR [#5910](https://togithub.com/tiangolo/fastapi/pull/5910) by [@junah201](https://togithub.com/junah201). - :globe_with_meridians: Add Turkish translation for `docs/tr/docs/alternatives.md`. PR [#10502](https://togithub.com/tiangolo/fastapi/pull/10502) by [@alperiox](https://togithub.com/alperiox). - 🌐 Add Korean translation for `docs/ko/docs/tutorial/dependencies/index.md`. PR [#10989](https://togithub.com/tiangolo/fastapi/pull/10989) by [@KaniKim](https://togithub.com/KaniKim). - 🌐 Add Korean translation for `/docs/ko/docs/tutorial/body.md`. PR [#11000](https://togithub.com/tiangolo/fastapi/pull/11000) by [@KaniKim](https://togithub.com/KaniKim). - 🌐 Add Portuguese translation for `docs/pt/docs/tutorial/schema-extra-example.md`. PR [#4065](https://togithub.com/tiangolo/fastapi/pull/4065) by [@luccasmmg](https://togithub.com/luccasmmg). - 🌐 Add Turkish translation for `docs/tr/docs/history-design-future.md`. PR [#11012](https://togithub.com/tiangolo/fastapi/pull/11012) by [@hasansezertasan](https://togithub.com/hasansezertasan). - 🌐 Add Turkish translation for `docs/tr/docs/resources/index.md`. PR [#11020](https://togithub.com/tiangolo/fastapi/pull/11020) by [@hasansezertasan](https://togithub.com/hasansezertasan). - 🌐 Add Turkish translation for `docs/tr/docs/how-to/index.md`. PR [#11021](https://togithub.com/tiangolo/fastapi/pull/11021) by [@hasansezertasan](https://togithub.com/hasansezertasan). - 🌐 Add German translation for `docs/de/docs/tutorial/query-params.md`. PR [#10293](https://togithub.com/tiangolo/fastapi/pull/10293) by [@nilslindemann](https://togithub.com/nilslindemann). - 🌐 Add German translation for `docs/de/docs/benchmarks.md`. PR [#10866](https://togithub.com/tiangolo/fastapi/pull/10866) by [@nilslindemann](https://togithub.com/nilslindemann). - 🌐 Add Turkish translation for `docs/tr/docs/learn/index.md`. PR [#11014](https://togithub.com/tiangolo/fastapi/pull/11014) by [@hasansezertasan](https://togithub.com/hasansezertasan). - 🌐 Add Persian translation for `docs/fa/docs/tutorial/security/index.md`. PR [#9945](https://togithub.com/tiangolo/fastapi/pull/9945) by [@mojtabapaso](https://togithub.com/mojtabapaso). - 🌐 Add Turkish translation for `docs/tr/docs/help/index.md`. PR [#11013](https://togithub.com/tiangolo/fastapi/pull/11013) by [@hasansezertasan](https://togithub.com/hasansezertasan). - 🌐 Add Turkish translation for `docs/tr/docs/about/index.md`. PR [#11006](https://togithub.com/tiangolo/fastapi/pull/11006) by [@hasansezertasan](https://togithub.com/hasansezertasan). - 🌐 Update Turkish translation for `docs/tr/docs/benchmarks.md`. PR [#11005](https://togithub.com/tiangolo/fastapi/pull/11005) by [@hasansezertasan](https://togithub.com/hasansezertasan). - 🌐 Add Italian translation for `docs/it/docs/index.md`. PR [#5233](https://togithub.com/tiangolo/fastapi/pull/5233) by [@matteospanio](https://togithub.com/matteospanio). - 🌐 Add Korean translation for `docs/ko/docs/help/index.md`. PR [#10983](https://togithub.com/tiangolo/fastapi/pull/10983) by [@KaniKim](https://togithub.com/KaniKim). - 🌐 Add Korean translation for `docs/ko/docs/features.md`. PR [#10976](https://togithub.com/tiangolo/fastapi/pull/10976) by [@KaniKim](https://togithub.com/KaniKim). - 🌐 Add Korean translation for `docs/ko/docs/tutorial/security/get-current-user.md`. PR [#5737](https://togithub.com/tiangolo/fastapi/pull/5737) by [@KdHyeon0661](https://togithub.com/KdHyeon0661). - 🌐 Add Russian translation for `docs/ru/docs/tutorial/security/first-steps.md`. PR [#10541](https://togithub.com/tiangolo/fastapi/pull/10541) by [@AlertRED](https://togithub.com/AlertRED). - 🌐 Add Russian translation for `docs/ru/docs/tutorial/handling-errors.md`. PR [#10375](https://togithub.com/tiangolo/fastapi/pull/10375) by [@AlertRED](https://togithub.com/AlertRED). - 🌐 Add Russian translation for `docs/ru/docs/tutorial/encoder.md`. PR [#10374](https://togithub.com/tiangolo/fastapi/pull/10374) by [@AlertRED](https://togithub.com/AlertRED). - 🌐 Add Russian translation for `docs/ru/docs/tutorial/body-updates.md`. PR [#10373](https://togithub.com/tiangolo/fastapi/pull/10373) by [@AlertRED](https://togithub.com/AlertRED). - 🌐 Russian translation: updated `fastapi-people.md`.. PR [#10255](https://togithub.com/tiangolo/fastapi/pull/10255) by [@NiKuma0](https://togithub.com/NiKuma0). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/security/index.md`. PR [#5798](https://togithub.com/tiangolo/fastapi/pull/5798) by [@3w36zj6](https://togithub.com/3w36zj6). - 🌐 Add German translation for `docs/de/docs/advanced/generate-clients.md`. PR [#10725](https://togithub.com/tiangolo/fastapi/pull/10725) by [@nilslindemann](https://togithub.com/nilslindemann). - 🌐 Add German translation for `docs/de/docs/advanced/openapi-webhooks.md`. PR [#10712](https://togithub.com/tiangolo/fastapi/pull/10712) by [@nilslindemann](https://togithub.com/nilslindemann). - 🌐 Add German translation for `docs/de/docs/advanced/custom-response.md`. PR [#10624](https://togithub.com/tiangolo/fastapi/pull/10624) by [@nilslindemann](https://togithub.com/nilslindemann). - 🌐 Add German translation for `docs/de/docs/advanced/additional-status-codes.md`. PR [#10617](https://togithub.com/tiangolo/fastapi/pull/10617) by [@nilslindemann](https://togithub.com/nilslindemann). - 🌐 Add German translation for `docs/de/docs/tutorial/middleware.md`. PR [#10391](https://togithub.com/tiangolo/fastapi/pull/10391) by [@JohannesJungbluth](https://togithub.com/JohannesJungbluth). - 🌐 Add German translation for introduction documents. PR [#10497](https://togithub.com/tiangolo/fastapi/pull/10497) by [@nilslindemann](https://togithub.com/nilslindemann). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/encoder.md`. PR [#1955](https://togithub.com/tiangolo/fastapi/pull/1955) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/extra-data-types.md`. PR [#1932](https://togithub.com/tiangolo/fastapi/pull/1932) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Turkish translation for `docs/tr/docs/async.md`. PR [#5191](https://togithub.com/tiangolo/fastapi/pull/5191) by [@BilalAlpaslan](https://togithub.com/BilalAlpaslan). - 🌐 Add Turkish translation for `docs/tr/docs/project-generation.md`. PR [#5192](https://togithub.com/tiangolo/fastapi/pull/5192) by [@BilalAlpaslan](https://togithub.com/BilalAlpaslan). - 🌐 Add Korean translation for `docs/ko/docs/deployment/docker.md`. PR [#5657](https://togithub.com/tiangolo/fastapi/pull/5657) by [@nearnear](https://togithub.com/nearnear). - 🌐 Add Korean translation for `docs/ko/docs/deployment/server-workers.md`. PR [#4935](https://togithub.com/tiangolo/fastapi/pull/4935) by [@jujumilk3](https://togithub.com/jujumilk3). - 🌐 Add Korean translation for `docs/ko/docs/deployment/index.md`. PR [#4561](https://togithub.com/tiangolo/fastapi/pull/4561) by [@jujumilk3](https://togithub.com/jujumilk3). - 🌐 Add Korean translation for `docs/ko/docs/tutorial/path-operation-configuration.md`. PR [#3639](https://togithub.com/tiangolo/fastapi/pull/3639) by [@jungsu-kwon](https://togithub.com/jungsu-kwon). - 🌐 Modify the description of `zh` - Traditional Chinese. PR [#10889](https://togithub.com/tiangolo/fastapi/pull/10889) by [@cherinyy](https://togithub.com/cherinyy). - 🌐 Add Korean translation for `docs/ko/docs/tutorial/static-files.md`. PR [#2957](https://togithub.com/tiangolo/fastapi/pull/2957) by [@jeesang7](https://togithub.com/jeesang7). - 🌐 Add Korean translation for `docs/ko/docs/tutorial/response-model.md`. PR [#2766](https://togithub.com/tiangolo/fastapi/pull/2766) by [@hard-coders](https://togithub.com/hard-coders). - 🌐 Add Korean translation for `docs/ko/docs/tutorial/body-multiple-params.md`. PR [#2461](https://togithub.com/tiangolo/fastapi/pull/2461) by [@PandaHun](https://togithub.com/PandaHun). - 🌐 Add Korean translation for `docs/ko/docs/tutorial/query-params-str-validations.md`. PR [#2415](https://togithub.com/tiangolo/fastapi/pull/2415) by [@hard-coders](https://togithub.com/hard-coders). - 🌐 Add Korean translation for `docs/ko/docs/python-types.md`. PR [#2267](https://togithub.com/tiangolo/fastapi/pull/2267) by [@jrim](https://togithub.com/jrim). - 🌐 Add Korean translation for `docs/ko/docs/tutorial/body-nested-models.md`. PR [#2506](https://togithub.com/tiangolo/fastapi/pull/2506) by [@hard-coders](https://togithub.com/hard-coders). - 🌐 Add Korean translation for `docs/ko/docs/learn/index.md`. PR [#10977](https://togithub.com/tiangolo/fastapi/pull/10977) by [@KaniKim](https://togithub.com/KaniKim). - 🌐 Initialize translations for Traditional Chinese. PR [#10505](https://togithub.com/tiangolo/fastapi/pull/10505) by [@hsuanchi](https://togithub.com/hsuanchi). - ✏️ Tweak the german translation of `docs/de/docs/tutorial/index.md`. PR [#10962](https://togithub.com/tiangolo/fastapi/pull/10962) by [@nilslindemann](https://togithub.com/nilslindemann). - ✏️ Fix typo error in `docs/ko/docs/tutorial/path-params.md`. PR [#10758](https://togithub.com/tiangolo/fastapi/pull/10758) by [@2chanhaeng](https://togithub.com/2chanhaeng). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/dependencies/dependencies-with-yield.md`. PR [#1961](https://togithub.com/tiangolo/fastapi/pull/1961) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/dependencies/dependencies-in-path-operation-decorators.md`. PR [#1960](https://togithub.com/tiangolo/fastapi/pull/1960) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/dependencies/sub-dependencies.md`. PR [#1959](https://togithub.com/tiangolo/fastapi/pull/1959) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/background-tasks.md`. PR [#2668](https://togithub.com/tiangolo/fastapi/pull/2668) by [@tokusumi](https://togithub.com/tokusumi). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/dependencies/index.md` and `docs/ja/docs/tutorial/dependencies/classes-as-dependencies.md`. PR [#1958](https://togithub.com/tiangolo/fastapi/pull/1958) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/response-model.md`. PR [#1938](https://togithub.com/tiangolo/fastapi/pull/1938) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/body-multiple-params.md`. PR [#1903](https://togithub.com/tiangolo/fastapi/pull/1903) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/path-params-numeric-validations.md`. PR [#1902](https://togithub.com/tiangolo/fastapi/pull/1902) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/python-types.md`. PR [#1899](https://togithub.com/tiangolo/fastapi/pull/1899) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/handling-errors.md`. PR [#1953](https://togithub.com/tiangolo/fastapi/pull/1953) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/response-status-code.md`. PR [#1942](https://togithub.com/tiangolo/fastapi/pull/1942) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/extra-models.md`. PR [#1941](https://togithub.com/tiangolo/fastapi/pull/1941) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese tranlsation for `docs/ja/docs/tutorial/schema-extra-example.md`. PR [#1931](https://togithub.com/tiangolo/fastapi/pull/1931) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/body-nested-models.md`. PR [#1930](https://togithub.com/tiangolo/fastapi/pull/1930) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add Japanese translation for `docs/ja/docs/tutorial/body-fields.md`. PR [#1923](https://togithub.com/tiangolo/fastapi/pull/1923) by [@SwftAlpc](https://togithub.com/SwftAlpc). - 🌐 Add German translation for `docs/de/docs/tutorial/index.md`. PR [#9502](https://togithub.com/tiangolo/fastapi/pull/9502) by [@fhabers21](https://togithub.com/fhabers21). - 🌐 Add German translation for `docs/de/docs/tutorial/background-tasks.md`. PR [#10566](https://togithub.com/tiangolo/fastapi/pull/10566) by [@nilslindemann](https://togithub.com/nilslindemann). - ✏️ Fix typo in `docs/ru/docs/index.md`. PR [#10672](https://togithub.com/tiangolo/fastapi/pull/10672) by [@Delitel-WEB](https://togithub.com/Delitel-WEB). - ✏️ Fix typos in `docs/zh/docs/tutorial/extra-data-types.md`. PR [#10727](https://togithub.com/tiangolo/fastapi/pull/10727) by [@HiemalBeryl](https://togithub.com/HiemalBeryl). - 🌐 Add Russian translation for `docs/ru/docs/tutorial/dependencies/classes-as-dependencies.md`. PR [#10410](https://togithub.com/tiangolo/fastapi/pull/10410) by [@AlertRED](https://togithub.com/AlertRED). ##### Internal - 👥 Update FastAPI People. PR [#11074](https://togithub.com/tiangolo/fastapi/pull/11074) by [@tiangolo](https://togithub.com/tiangolo). - 🔧 Update sponsors: add Coherence. PR [#11066](https://togithub.com/tiangolo/fastapi/pull/11066) by [@tiangolo](https://togithub.com/tiangolo). - 👷 Upgrade GitHub Action issue-manager. PR [#11056](https://togithub.com/tiangolo/fastapi/pull/11056) by [@tiangolo](https://togithub.com/tiangolo). - 🍱 Update sponsors: TalkPython badge. PR [#11052](https://togithub.com/tiangolo/fastapi/pull/11052) by [@tiangolo](https://togithub.com/tiangolo). - 🔧 Update sponsors: TalkPython badge image. PR [#11048](https://togithub.com/tiangolo/fastapi/pull/11048) by [@tiangolo](https://togithub.com/tiangolo). - 🔧 Update sponsors, remove Deta. PR [#11041](https://togithub.com/tiangolo/fastapi/pull/11041) by [@tiangolo](https://togithub.com/tiangolo). - 💄 Fix CSS breaking RTL languages (erroneously introduced by a previous RTL PR). PR [#11039](https://togithub.com/tiangolo/fastapi/pull/11039) by [@tiangolo](https://togithub.com/tiangolo). - 🔧 Add Italian to `mkdocs.yml`. PR [#11016](https://togithub.com/tiangolo/fastapi/pull/11016) by [@alejsdev](https://togithub.com/alejsdev). - 🔨 Verify `mkdocs.yml` languages in CI, update `docs.py`. PR [#11009](https://togithub.com/tiangolo/fastapi/pull/11009) by [@tiangolo](https://togithub.com/tiangolo). - 🔧 Update config in `label-approved.yml` to accept translations with 1 reviewer. PR [#11007](https://togithub.com/tiangolo/fastapi/pull/11007) by [@alejsdev](https://togithub.com/alejsdev). - 👷 Add changes-requested handling in GitHub Action issue manager. PR [#10971](https://togithub.com/tiangolo/fastapi/pull/10971) by [@tiangolo](https://togithub.com/tiangolo). - 🔧 Group dependencies on dependabot updates. PR [#10952](https://togithub.com/tiangolo/fastapi/pull/10952) by [@Kludex](https://togithub.com/Kludex). - ⬆ Bump actions/setup-python from 4 to 5. PR [#10764](https://togithub.com/tiangolo/fastapi/pull/10764) by [@dependabot\[bot\]](https://togithub.com/apps/dependabot). - ⬆ Bump pypa/gh-action-pypi-publish from 1.8.10 to 1.8.11. PR [#10731](https://togithub.com/tiangolo/fastapi/pull/10731) by [@dependabot\[bot\]](https://togithub.com/apps/dependabot). - ⬆ Bump dawidd6/action-download-artifact from 2.28.0 to 3.0.0. PR [#10777](https://togithub.com/tiangolo/fastapi/pull/10777) by [@dependabot\[bot\]](https://togithub.com/apps/dependabot). - 🔧 Add support for translations to languages with a longer code name, like `zh-hant`. PR [#10950](https://togithub.com/tiangolo/fastapi/pull/10950) by [@tiangolo](https://togithub.com/tiangolo).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.