CVE-2020-7965 in webargs
Summary
by MITRE
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/30/2020
The vulnerability described in CVE-2020-7965 affects the webargs library version 5.x through 5.5.2, specifically within the flaskparser.py component that handles JSON input processing for flask applications. This flaw represents a critical security oversight in content-type validation mechanisms that can lead to cross-site request forgery attacks. The vulnerability exists because the parser fails to enforce proper content-type header validation when processing JSON data, creating a dangerous condition where malicious actors can exploit the lack of strict validation.
The technical implementation of this vulnerability stems from the absence of Content-Type header verification in the flaskparser.py module. When a web application uses webargs to parse incoming JSON data, the library should validate that the request's Content-Type header explicitly states application/json before processing the payload. However, in affected versions, the parser accepts valid JSON payloads regardless of the Content-Type header value, including when it incorrectly indicates application/x-www-form-urlencoded. This permissive approach bypasses standard security mechanisms that rely on content-type validation to distinguish between different data formats and prevent malicious data injection.
The operational impact of this vulnerability is significant as it enables cross-site request forgery attacks by allowing JSON POST requests to be made across different domains. Attackers can craft malicious requests that appear to come from legitimate sources while exploiting the lack of content-type validation. This creates a scenario where an authenticated user's browser can be tricked into making unintended JSON requests to vulnerable applications, potentially leading to unauthorized actions or data manipulation. The vulnerability essentially undermines the security model that relies on content-type headers to enforce proper request handling and authentication boundaries.
This vulnerability aligns with CWE-346, which addresses "Origin Validation Error", and maps to ATT&CK technique T1566.001 for "Phishing via Service Provider", as it enables attackers to craft convincing cross-domain requests that can bypass security controls. The flaw also relates to CWE-20, "Improper Input Validation", since the system fails to properly validate the content-type header before processing the request data. Organizations using affected versions of webargs are particularly vulnerable because the issue affects the fundamental data parsing mechanism that many applications rely upon for handling API requests and user input.
The recommended mitigation strategy involves upgrading to webargs version 5.5.3 or later, which contains the necessary fixes to properly validate Content-Type headers before processing JSON payloads. Additionally, application developers should implement proper input validation at multiple layers of their applications, including explicit Content-Type header checks in their own code, even when relying on third-party libraries. Security teams should also conduct comprehensive vulnerability assessments of their web applications to identify any instances where similar permissive parsing mechanisms might be in use, ensuring that all data validation occurs at appropriate layers of the application architecture.