Spring4shell in Fastapi with Hmac Signatures

Spring4shell (CVE-2022-22965) is a remote code execution vulnerability in Spring MVC and Spring WebFlux applications that exploit data binding via property editors, typically when request payloads are bound to Java objects. While FastAPI is a Python framework and not directly vulnerable to the Java-based Spring4shell vector, a similar risk pattern can emerge when a FastAPI service is designed to interoperate with or proxy requests to a Spring backend, and it uses HMAC signatures for request authentication without strict schema validation.

When HMAC signatures are used in FastAPI to verify request integrity, the typical flow is: the client computes a signature over selected request attributes (e.g., timestamp, payload, headers) using a shared secret, and the server recomputes and compares the signature. If the FastAPI service accepts arbitrary JSON and forwards it to a Spring backend—or if the signature is computed over a subset of fields while the server-side binding is permissive—an attacker can exploit parameter pollution or schema confusion. For example, an attacker may inject unexpected parameters (e.g., nested objects or form fields) that are ignored by the FastAPI signature verification but are processed by the downstream Spring application, triggering remote code execution via data binding.

In a microservice architecture where FastAPI acts as an API gateway or proxy, failing to validate and strictly limit the request schema before computing or verifying HMAC signatures can expose the system. The HMAC layer may appear to ensure integrity, but if the canonicalization step used to generate the signature does not normalize or reject unexpected fields, an attacker can manipulate the forwarded request to the Spring backend. This mismatched enforcement creates a window where the signature validates on the gateway, but the proxied request to the backend carries malicious payloads that trigger CVE-2022-22965-like conditions on the Java side.

To illustrate, consider a FastAPI endpoint that accepts JSON, selects fields for signing, and forwards the request. If the canonicalization does not enforce a strict schema, extra fields can be appended before signing or omitted after signing without detection. An attacker can send additional parameters intended for the backend, leveraging Spring’s data binding to execute arbitrary code. Therefore, the combination of HMAC signatures in FastAPI and integration with Spring backends requires rigorous input validation, schema enforcement, and signature coverage that includes all forwarded data to prevent abuse across the service boundary.

To mitigate risks when using HMAC signatures in FastAPI, enforce strict request schema validation and ensure the signature covers all data that is forwarded to downstream services. Below are concrete code examples demonstrating secure handling.

Secure HMAC verification with strict schema validation

import hmac
import hashlib
from fastapi import FastAPI, Request, HTTPException, Depends
from pydantic import BaseModel, ValidationError
from typing import Any, Dict

app = FastAPI()

SECRET = b"super-secret-key"

class ValidatedRequest(BaseModel):
    timestamp: int
    action: str
    payload: Dict[str, Any]

def verify_hmac(request: Request) -> bool:
    body = request.body()
    signature = request.headers.get("X-API-Signature")
    if not signature:
        return False
    mac = hmac.new(SECRET, body, digestmod=hashlib.sha256)
    expected = mac.hexdigest()
    return hmac.compare_digest(expected, signature)

@app.post("/secure-endpoint")
async def secure_endpoint(request: Request):
    if not verify_hmac(request):
        raise HTTPException(status_code=401, detail="Invalid signature")
    try:
        data = ValidatedRequest(**request.json())
    except ValidationError:
        raise HTTPException(status_code=400, detail="Invalid payload schema")
    # Forward data to backend ensuring only validated fields are included
    forwarded_payload = {
        "timestamp": data.timestamp,
        "action": data.action,
        "payload": data.payload,
    }
    # Implement backend call with forwarded_payload
    return {"status": "ok"}

Canonicalization and signature coverage

Ensure that the data used to generate and verify the HMAC uses a canonical form to avoid discrepancies between client and server. For JSON payloads, sort keys and exclude non-essential fields that should not influence integrity.

import json
import hmac
import hashlib

def canonical_json(data: dict) -> bytes:
    # Sort keys recursively to ensure deterministic serialization
    return json.dumps(data, sort_keys=True, separators=(",", ":")).encode()

payload = {
    "timestamp": 1718000000,
    "action": "create",
    "payload": {"id": 123, "details": {"name": "test"}},
}
signed = hmac.new(SECRET, canonical_json(payload), digestmod=hashlib.sha256).hexdigest()

Rejecting unexpected fields

Configure Pydantic models to reject extra fields to prevent parameter pollution that could reach backend systems like Spring. This ensures that only explicitly defined parameters are processed and forwarded.

from pydantic import BaseModel, ConfigDict

class StrictRequest(BaseModel):
    model_config = ConfigDict(extra="forbid")
    timestamp: int
    action: str
    payload: Dict[str, Any]

By combining strict schema validation, canonicalized HMAC computation, and rejection of extra fields, FastAPI services can securely use HMAC signatures while minimizing risks when interacting with backend frameworks such as Spring.