{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:f974b415-04f0-5998-9db4-27e0ea099b82", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:pypi/fastapi@0.63.0", "type": "library", "name": "fastapi", "version": "0.63.0", "purl": "pkg:pypi/fastapi@0.63.0" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:9b6c442a-2fa4-543a-81b4-51a84ab3a58c", "id": "CVE-2023-29159", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-29159 affects version 0.63.0 of fastapi." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:db3ec25e-bc11-5c52-bc31-93261738e152", "id": "CVE-2023-30798", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-30798 affects version 0.63.0 of fastapi." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:03bc7be2-202a-5146-ab8e-a0f2a8a4dfad", "id": "CVE-2024-47874", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-47874 affects version 0.63.0 of fastapi." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:c4b47133-754e-5f11-b3a0-10850781113b", "id": "CVE-2025-54121", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-54121 affects version 0.63.0 of fastapi." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:a708d983-f1b6-5b56-ba78-884227200997", "id": "CVE-2025-62727", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-62727 affects version 0.63.0 of fastapi." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:a51783aa-f961-5c77-88e1-e41443dafd57", "id": "CVE-2026-48710", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-48710 affects version 0.63.0 of fastapi." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:4c97b2fc-2ff6-5c93-8670-8254057796ac", "id": "CVE-2026-48817", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-48817 does not affect version 0.63.0 of fastapi. not_affected \u2014 FastAPI 0.63.0 is not affected by CVE-2026-48817. The vulnerability exists in Starlette's HTTPEndpoint class, which is not defined, used, or vendored in the FastAPI codebase. While FastAPI depends on Starlette, FastAPI's own code does not create or register any HTTPEndpoint subclasses. The CVE mentions FastAPI as potentially affected because FastAPI users could import HTTPEndpoint from Starlett..." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:3404f8dc-3367-5df0-be4a-e2ee279ac03d", "id": "CVE-2026-48818", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-48818 does not affect version 0.63.0 of fastapi. not_affected \u2014 FastAPI is not affected by CVE-2026-48818. The vulnerability exists in Starlette's StaticFiles.lookup_path() method, which FastAPI re-exports as a convenience but does not implement. FastAPI's source code contains no StaticFiles implementation, path resolution logic, or any code that processes static file requests. The entire vulnerable code path (UNC path \u2192 os.path.realpath \u2192 SMB connection \u2192 ..." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:397fd20e-18f8-544c-8515-af0237c54cb6", "id": "CVE-2026-54283", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54283 does not affect version 0.63.0 of fastapi. not_affected \u2014 The vulnerability CVE-2026-54283 affects Starlette's form parsing implementation for URL-encoded data. FastAPI does not contain the vulnerable source code - it uses Starlette as a dependency and delegates all form parsing to Starlette's Request.form() method. The vulnerable code pattern (unbounded form parsing without enforcing max_fields and max_part_size limits for application/x-www-form-urle..." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:f2eb8158-5675-53e2-9b0f-51f0da2a5aec", "id": "GHSA-3qj8-93xh-pwh2", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-3qj8-93xh-pwh2 is a false positive for fastapi 0.63.0." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:b2a72931-417b-501c-b724-6ee47edd0de6", "id": "GHSA-93gm-qmq6-w238", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-93gm-qmq6-w238 is a false positive for fastapi 0.63.0." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:75064ad9-3eac-5d8d-b4b6-39522e319eaf", "id": "GHSA-qf9m-vfgh-m389", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-qf9m-vfgh-m389 is a false positive for fastapi 0.63.0." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }, { "bom-ref": "urn:uuid:4799c5ef-c9fa-59de-af8c-191964634a95", "id": "GHSA-qj8w-rv5x-2v9h", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-qj8w-rv5x-2v9h is a false positive for fastapi 0.63.0." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] } ], "dependencies": [ { "ref": "pkg:pypi/fastapi@0.63.0" } ] }