AIKIDO-2026-10006
drf-simple-apikey is vulnerable to Improper Input Validation
91
Critical Risk
This Affects:
drf-simple-apikeyTL;DR
Affected versions of this package are vulnerable to multiple security risks due to inadequate API key authentication handling and insufficient hardening against timing attacks and unvalidated input. Prior to this commit, the authentication backend did not use constant‑time comparisons when verifying API keys, making it susceptible to timing analysis that could allow an attacker to infer valid API key values based on response timing. Additionally, endpoint analytics paths were stored without sanitization, opening the door to malicious or malformed path data being introduced into analytics tracking and potentially causing unexpected behavior or injection risks. The commit adds timing attack protection with constant‑time comparisons and artificial delays, input sanitization for analytics endpoint paths, Fernet key validation, HTTPS enforcement in production, and a suite of new security‑related settings and audit logging to strengthen protection of API key usage.
Who does this affect?
You are affected if you are using a vulnerable version of the package.
Background info
drf-simple-apikey is vulnerable to Improper Input Validation in versions 0.0.1 - 2.2.1.
How to fix this
Upgrade the drf-simple-apikey library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant