CVE-2020-7965
Description
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-7965
- https://github.com/marshmallow-code/webargs/commit/b9ee8b0aa668207a363d9fd21d967eeadb975c3e
- https://github.com/marshmallow-code/webargs
- https://github.com/pypa/advisory-database/tree/main/vulns/webargs/PYSEC-2020-156.yaml
- https://webargs.readthedocs.io/en/latest/changelog.html
- https://webargs.readthedocs.io/en/latest/changelog.html#b4-2020-01-28
- https://webargs.readthedocs.io/en/latest/changelog.html#id11
- https://github.com/advisories/GHSA-fjq3-5pxw-4wj4
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.