greprules.io
Sign inSubmit rule
Explore/cve-2024-30248-fastapi-starlette-staticfiles-missing-csp

CVE-2024-30248: Fastapi Starlette Staticfiles Missing Csp

The application mounts a `StaticFiles` directory without applying Content-Security-Policy (CSP) headers. If this directory serves user-uploaded files, an attacker could upload and execute malicious scripts (e.g., via embedded JavaScript in SVG files), leading to Stored Cross-Site Scripting (XSS). Wrap the `StaticFiles` application in a middleware that adds a

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0python
greprules fetch cve-2024-30248-fastapi-starlette-staticfiles-missing-csp --engine opengrep

Description

The application mounts a `StaticFiles` directory without applying Content-Security-Policy (CSP) headers. If this directory serves user-uploaded files, an attacker could upload and execute malicious scripts (e.g., via embedded JavaScript in SVG files), leading to Stored Cross-Site Scripting (XSS). Wrap the `StaticFiles` application in a middleware that adds a

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
109 downloads0 direct109 via packs
· 0 stars · Trust score 61How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata