CVE-2025-53539: fastapi-guard is vulnerable to ReDoS through inefficient regex

The vulnerability CVE-2025-53539 in fastapi-guard is a classic case of Regular Expression Denial of Service (ReDoS). The root cause is the use of inefficient regular expressions with unbounded quantifiers (e.g., *, +) that can lead to catastrophic backtracking when processing certain string patterns. The analysis of the patch d9d50e8130b7b434cdc1b001b8cfd03a06729f7f reveals two main areas of concern.

The primary and most critical vulnerability lies within the SusPatternsManager class in guard/handlers/suspatterns_handler.py. This class defines a long list of regex patterns used to scan incoming HTTP requests for potential attacks like XSS, SQL Injection, and more. The __new__ method of this class is responsible for compiling these patterns. As penetration detection is enabled by default, any service using fastapi-guard would be susceptible to a DoS attack. An attacker could send a small, specially crafted request that matches one of the vulnerable patterns in a way that triggers excessive backtracking, causing the server's CPU to spike and rendering the application unresponsive.

A secondary, less critical but still relevant, vulnerability was identified and fixed in the fetch_azure_ip_ranges function within guard/handlers/cloud_handler.py. This function also used a vulnerable regex to parse a webpage. Although the data being parsed is from a Microsoft server and not directly from the user, the patch addressed this to eliminate any potential for a DoS condition.

For a security engineer, the key takeaway is that any runtime profile during an exploit of this CVE would show significant time spent within Python's re module functions, called from the request handling logic that uses the patterns from SusPatternsManager. The identified functions are the origin points where these vulnerable patterns are defined and processed.