High severityNVD Advisory· Published Jan 29, 2020· Updated Aug 4, 2024
CVE-2020-7965
CVE-2020-7965
Description
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
webargsPyPI | >= 5.0.0, < 5.5.3 | 5.5.3 |
webargsPyPI | >= 6.0.0b1, < 6.0.0b4 | 6.0.0b4 |
Affected products
2- Webargs/Webargsdescription
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-fjq3-5pxw-4wj4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7965ghsaADVISORY
- github.com/marshmallow-code/webargs/commit/b9ee8b0aa668207a363d9fd21d967eeadb975c3eghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/webargs/PYSEC-2020-156.yamlghsaWEB
- webargs.readthedocs.io/en/latest/changelog.htmlghsax_refsource_CONFIRMWEB
- webargs.readthedocs.io/en/latest/changelog.htmlghsaWEB
- webargs.readthedocs.io/en/latest/changelog.htmlghsaWEB
News mentions
0No linked articles in our index yet.