FastAPI
General Information
| Field | Value |
|---|---|
| Package Name | fastapi |
| Manufacturer / Vendor | Sebastián Ramírez (tiangolo) |
| Software Category | Framework |
| Primary Documentation | Documentation, GitHub, PyPI, Tutorial |
| Programming Language(s) | Python |
| License | MIT License |
| Deployed Version(s) | >=0.124.0 (version-locked at 0.124.2–0.128.0 across services) |
| Most Recent Available Version | 0.128.0 |
| Last Review Date | 2026-01-27 |
Overview
FastAPI is a modern, high-performance web framework for building APIs with Python based on standard Python type hints. Built on top of Starlette for the web layer and Pydantic for data validation, FastAPI provides automatic OpenAPI documentation, request/response validation, dependency injection, and asynchronous request handling. It is one of the fastest Python frameworks available, with performance comparable to NodeJS and Go.
Within the medical device software, FastAPI serves as the primary HTTP/REST interface layer powering all external and internal API communications. It is integrated throughout the distributed microservices architecture:
- API Gateway: The client-facing service that exposes clinical endpoints for diagnosis support and severity assessment, device health and information endpoints, and authentication-protected resources
- Control Plane: Orchestrates clinical workflows by routing requests to appropriate downstream services, managing distributed tracing via correlation IDs, and coordinating the expert orchestrator and report builder services
- Expert Orchestrator: Coordinates 50+ expert microservices for clinical sign classification, segmentation, and detection, distributing inference requests and aggregating results
- Report Builder: Generates canonical clinical reports from aggregated expert results, providing structured diagnosis and severity assessment outputs
- Expert Microservices: Each of the 50+ clinical expert models (classifiers, segmenters, detectors) runs as an isolated FastAPI service with prediction endpoints, health checks, and resource monitoring
FastAPI was selected over alternatives (Flask, Django REST Framework, Tornado) due to:
- High performance with native async/await support for concurrent request handling
- Automatic request/response validation using Python type hints and Pydantic models
- Built-in dependency injection system integrating seamlessly with the device's
dependency-injectorcontainer - Automatic OpenAPI documentation generation for API contract verification
- Strong typing support enabling compile-time error detection and IDE assistance
- Active maintenance with regular security updates and a responsive maintainer
- MIT license permitting commercial use in medical device software
Functional Requirements
The following functional capabilities of this SOUP are relied upon by the medical device software.
| Requirement ID | Description | Source / Reference |
|---|---|---|
| FR-001 | Create web application instances with configurable metadata | FastAPI() class constructor |
| FR-002 | Define HTTP endpoints using route decorators | @app.get(), @app.post(), @router.get(), @router.post() |
| FR-003 | Automatically validate request bodies against Pydantic models | Type hints with BaseModel subclasses |
| FR-004 | Return typed responses with automatic serialization | response_model parameter in route decorators |
| FR-005 | Organize routes using modular router components | APIRouter class with prefix and tags |
| FR-006 | Inject dependencies into route handlers | Depends() function and dependency injection system |
| FR-007 | Register custom exception handlers for error processing | @app.exception_handler() decorator and add_exception_handler() |
| FR-008 | Add middleware for cross-cutting concerns | app.add_middleware() and BaseHTTPMiddleware |
| FR-009 | Implement authentication via HTTP Bearer tokens | HTTPBearer security scheme from fastapi.security |
| FR-010 | Define application lifecycle events (startup/shutdown) | lifespan context manager parameter |
| FR-011 | Return structured error responses with appropriate HTTP status codes | HTTPException class with status_code and detail |
| FR-012 | Include routers with path prefixes for API versioning | app.include_router() with prefix parameter |
| FR-013 | Configure request timeouts for long-running operations | Timeout parameters in route handlers |
| FR-014 | Access request headers for correlation ID propagation | Request object and header extraction |
Performance Requirements
The following performance expectations are relevant to the medical device software.
| Requirement ID | Description | Acceptance Criteria |
|---|---|---|
| PR-001 | API request processing shall complete within acceptable latency bounds | Request handling overhead < 10ms excluding business logic |
| PR-002 | Concurrent request handling shall scale with available resources | Async handlers enable concurrent processing without thread exhaustion |
| PR-003 | Memory usage shall remain stable under sustained request load | No memory leaks during continuous API operation |
| PR-004 | Request validation shall not introduce significant latency overhead | Pydantic validation completes within acceptable bounds |
Hardware Requirements
The following hardware dependencies or constraints are imposed by this SOUP component.
| Requirement ID | Description | Notes / Limitations |
|---|---|---|
| HR-001 | x86-64 or ARM64 processor architecture | Pre-built wheels available for common platforms |
| HR-002 | Sufficient system memory for request processing | Memory scales with concurrent connection count |
| HR-003 | Network interface for HTTP communication | Required for all API endpoints |
Software Requirements
The following software dependencies and environmental assumptions are required by this SOUP component.
| Requirement ID | Description | Dependency / Version Constraints |
|---|---|---|
| SR-001 | Python runtime environment | Python >=3.9 |
| SR-002 | Starlette ASGI framework | Bundled dependency; device uses Starlette >=0.49.0 (locked at 0.50.0) |
| SR-003 | Pydantic data validation library | Bundled dependency; device uses Pydantic >=2.12.0 |
| SR-004 | ASGI server for production deployment | Uvicorn with standard extras >=0.38.0 |
| SR-005 | python-multipart for form data processing | Required for multipart/form-data handling |
Known Anomalies Assessment
This section evaluates publicly reported issues, defects, or security vulnerabilities associated with this SOUP component and their relevance to the medical device software.
| Anomaly Reference | Status | Applicable | Rationale | Reviewed At |
|---|---|---|---|---|
| CVE-2024-24762 (python-multipart ReDoS) | Fixed | No | High severity (CVSS 7.5) ReDoS via crafted Content-Type header in python-multipart. Fixed in FastAPI 0.109.1; device uses >=0.124.0 which includes the fix | 2026-01-27 |
| CVE-2024-47874 (Starlette multipart DoS) | Fixed | No | Critical (CVSS 8.7) memory exhaustion via multipart/form-data without filename. Fixed in Starlette 0.40.0; device uses Starlette >=0.49.0 which includes the fix | 2026-01-27 |
| CVE-2025-54121 (Starlette event thread blocking) | Fixed | No | Moderate (CVSS 5.3) event loop blocking during large file upload rollover. Fixed in Starlette 0.47.2; device uses Starlette >=0.49.0 which includes the fix | 2026-01-27 |
| CVE-2025-62727 (Starlette FileResponse ReDoS) | Fixed | No | ReDoS via crafted HTTP Range header in FileResponse. Fixed in Starlette 0.49.1; device uses Starlette locked at 0.50.0 which includes the fix. Additionally not applicable as device does not serve static files via FileResponse | 2026-01-27 |
| CVE-2025-14546 (fastapi-sso CSRF) | Fixed | No | CSRF in fastapi-sso package due to improper OAuth state validation. The device does not use the fastapi-sso third-party package | 2026-01-27 |
| CVE-2025-68481 (fastapi-users account takeover) | Fixed | No | OAuth state token vulnerability in fastapi-users package. The device does not use the fastapi-users third-party package; authentication is handled internally | 2026-01-27 |
FastAPI is actively maintained by Sebastián Ramírez with a strong track record of prompt security response. The project maintains a security policy for coordinated disclosure. According to Snyk's vulnerability database, the current version (0.128.0) is listed as the latest non-vulnerable version.
The device's usage pattern minimizes attack surface exposure:
- Authenticated endpoints: All clinical and user-facing endpoints require valid JWT authentication via HTTPBearer
- Input validation: Pydantic models validate all request bodies before business logic execution, rejecting malformed data at the framework layer
- Version locking: Requirements lock files pin FastAPI versions across all services: core services (API Gateway, Control Plane) at 0.124.4, expert microservices range from 0.125.0 to 0.128.0. All locked versions include fixes for CVE-2024-24762 (fixed in 0.109.1)
- No static file serving: The device does not use
FileResponseorStaticFiles, eliminating exposure to CVE-2025-62727 - Controlled form data: Multipart form handling is limited to specific endpoints with size validation, mitigating DoS risks
- IEC 62304 compliant error handling: Global exception handlers ensure no internal details leak to clients; all errors return sanitized messages with correlation IDs for debugging
- Distributed tracing: Correlation ID middleware enables end-to-end request tracking for security audit trails
- Container isolation: Each microservice runs in isolated containers with restricted filesystem and network access
Risk Control Measures
The following risk control measures are implemented to mitigate potential security and operational risks associated with this SOUP component:
- Version constraints in requirements ensure deployment of patched versions
- JWT authentication prevents unauthenticated access to clinical endpoints
- Pydantic validation rejects malformed requests before processing
- Rate limiting and request size limits prevent resource exhaustion
- Container isolation limits potential impact of any exploitation
- Audit logging with correlation IDs enables forensic analysis of security events
Assessment Methodology
The following methodology was used to identify and assess known anomalies:
-
Sources consulted:
- National Vulnerability Database (NVD) search for "fastapi" and "starlette"
- Snyk vulnerability database for FastAPI
- Snyk vulnerability database for Starlette
- GitHub Security Advisories for fastapi/fastapi
- CVE Details for FastAPI
- Security research publications and vendor security bulletins
-
Criteria for determining applicability:
- Vulnerability must affect deployed versions (FastAPI 0.124.2–0.128.0, Starlette 0.50.0)
- Vulnerability must be exploitable through the device's operational context (authenticated API, no static files)
- Attack vector must be reachable through the device's interfaces
- Input validation, authentication, and isolation controls must not mitigate the vulnerability
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003, JD-004
- Approver: JD-001