AIKIDO-2025-10935
fastcrud is vulnerable to Improper Restriction of Communication Channel to Intended Endpoints
70
High Risk
This Affects:
fastcrudTL;DR
Affected versions of this package are vulnerable to improper restriction of communication channels to intended endpoints due to flawed handling of the exclude_fields parameter in the _create_modified_schema function. The function does not enforce immutability on the exclusion list, allowing callers or dependent code to alter shared state and inadvertently reintroduce sensitive fields such as passwords or API keys into generated schemas. An attacker can exploit this through cache-poisoning or list-manipulation techniques to expose sensitive data that should have been omitted from API responses.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
fastcrud is vulnerable to Improper Restriction of Communication Channel to Intended Endpoints in versions 0.0.1 - 0.18.1.
How to fix this
Upgrade the fastcrud library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant