`email.message.Message` (RFC 2822 parser) used for HTTP Content-Type detection causes FastAPI to parse `application/x-www-form-urlencoded+json` bodies as JSON, creating inconsistent behavior with application middleware #15201

subhashdasyam · 2026-03-23T13:11:52Z

subhashdasyam
Mar 23, 2026

First Check

I added a very descriptive title here.
I used the GitHub search to find a similar question and didn't find it.
I searched the FastAPI documentation, with the integrated search.
I already searched in Google "How to X in FastAPI" and didn't find any information.
I already read and followed all the tutorial in the docs and didn't find an answer.
I already checked if it is not related to FastAPI but to Pydantic.
I already checked if it is not related to FastAPI but to Swagger UI.
I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

I commit to help with one of those options 👆

Example Code

# Minimal reproducible example.
# Run: uvicorn main:app --port 8000

import email.message
from fastapi import FastAPI, Request
from fastapi.responses import JSONResponse
from pydantic import BaseModel

app = FastAPI()


class Item(BaseModel):
    username: str
    role: str = "user"


# ── Application-level middleware that routes auth by Content-Type ──
# A common pattern when an API serves both browser (form) and
# programmatic (JSON) clients with different auth requirements.
@app.middleware("http")
async def auth_middleware(request: Request, call_next):
    if request.url.path.startswith("/admin"):
        ct = request.headers.get("content-type", "")
        if ct.lower().startswith("application/json"):
            # JSON API call — require strong token
            token = request.headers.get("x-api-token", "")
            if token != "secret-admin-token":
                return JSONResponse(status_code=401, content={"error": "admin token required"})
        else:
            # Assumed to be a browser form — require session cookie
            session = request.cookies.get("session") or request.headers.get("x-session", "")
            if session != "valid-user-session":
                return JSONResponse(status_code=401, content={"error": "session required"})
            # NOTE: session path does not enforce role — assumes browser UI handles it
    return await call_next(request)


@app.post("/admin/update")
async def admin_update(item: Item):
    return {
        "status": "updated",
        "username": item.username,
        "role": item.role,
        "note": "PRIVILEGE ESCALATION" if item.role == "admin" else "ok",
    }


# Shows how FastAPI's internal parser classifies a given Content-Type
@app.get("/debug/parser")
async def debug_parser(ct: str):
    msg = email.message.Message()
    msg["content-type"] = ct
    subtype = msg.get_content_subtype()
    return {
        "content_type": ct,
        "maintype": msg.get_content_maintype(),
        "subtype": subtype,
        "fastapi_treats_as_json": (
            msg.get_content_maintype() == "application"
            and (subtype == "json" or subtype.endswith("+json"))
        ),
    }


```bash
# --- Expected behavior ---

# 1. JSON call without admin token → correctly rejected by middleware
curl -s -X POST http://localhost:8000/admin/update \
  -H "Content-Type: application/json" \
  -d '{"username": "bob", "role": "admin"}'
# → {"error": "admin token required"}

# 2. Form call with valid session → middleware accepts, but FastAPI receives
#    raw bytes for a JSON-body endpoint → Pydantic 422 (cannot parse form bytes as model)
curl -s -X POST http://localhost:8000/admin/update \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "X-Session: valid-user-session" \
  -d '{"username": "bob", "role": "admin"}'
# → {"detail": [{"type": "model_attributes_type", ...}]}  (422)

# --- The inconsistency ---

# 3. Send JSON payload with Content-Type: application/x-www-form-urlencoded+json
#    Middleware sees "form" → accepts session cookie → no token check
#    FastAPI sees "+json" suffix → calls request.json() → full JSON parsed
#    Result: admin endpoint called with only a session cookie
curl -s -X POST http://localhost:8000/admin/update \
  -H "Content-Type: application/x-www-form-urlencoded+json" \
  -H "X-Session: valid-user-session" \
  -d '{"username": "bob", "role": "admin"}'
# → {"status": "updated", "username": "bob", "role": "admin", "note": "PRIVILEGE ESCALATION"}

# 4. Debug: confirm parser classification
curl -s "http://localhost:8000/debug/parser?ct=application/x-www-form-urlencoded%2Bjson"
# → {
#     "content_type": "application/x-www-form-urlencoded+json",
#     "maintype": "application",
#     "subtype": "x-www-form-urlencoded+json",
#     "fastapi_treats_as_json": true    ← framework treats it as JSON
#   }



### Description

### What is happening

In `fastapi/routing.py` lines 417–422, FastAPI uses Python's `email.message.Message` to determine whether an incoming request body should be parsed as JSON:

```python
# routing.py:417-422
message = email.message.Message()
message["content-type"] = content_type_value
if message.get_content_maintype() == "application":
    subtype = message.get_content_subtype()
    if subtype == "json" or subtype.endswith("+json"):
        json_body = await request.json()

email.message.Message is an RFC 2822 email/MIME header parser, not an HTTP/RFC 7231 parser. It fully implements the MIME Structured Syntax Suffix convention (RFC 6839), which says any type with a +json suffix contains JSON-encoded data. As a result, FastAPI treats all of the following as JSON bodies:

application/x-www-form-urlencoded+json
application/octet-stream+json
application/vnd.anything+json

None of these are registered media types. application/x-www-form-urlencoded+json in particular is semantically contradictory — URL-encoded form data cannot simultaneously be JSON-encoded.

What I expected to happen

application/x-www-form-urlencoded+json should not trigger await request.json(). It is not a real content type. FastAPI should either treat it as raw bytes or reject it with HTTP 415 Unsupported Media Type, just as it does for plain application/x-www-form-urlencoded on a JSON-body endpoint.

What is currently happening

Any string matching application/*+json — no matter how semantically invalid the base subtype is — causes FastAPI to call request.json() and deliver a parsed Python dict to the endpoint. The endpoint has no way to know the Content-Type was unusual.

Why this creates real problems at the application level

The core issue is inconsistency between FastAPI's body parsing decision and what the rest of the application stack assumes.

Application middleware commonly branches on Content-Type to implement different behavior for JSON API calls versus form submissions. This is a standard pattern when an API serves both programmatic clients and browser forms:

# Pattern 1 — different auth requirements
@app.middleware("http")
async def auth_middleware(request: Request, call_next):
    ct = request.headers.get("content-type", "")
    if ct.startswith("application/json"):
        require_api_token(request)      # strong auth for JSON API
    else:
        require_session_cookie(request) # weaker session auth for browser
    return await call_next(request)

# Pattern 2 — different input validation
@app.middleware("http")
async def validation_middleware(request: Request, call_next):
    ct = request.headers.get("content-type", "")
    if ct.startswith("application/json"):
        await validate_json_schema(request)   # schema checks for API
    # form submissions: trust Pydantic alone
    return await call_next(request)

# Pattern 3 — different rate limit tiers
@app.middleware("http")
async def rate_limit_middleware(request: Request, call_next):
    ct = request.headers.get("content-type", "")
    if ct.startswith("application/json"):
        apply_api_rate_limit(request)     # 100 req/min for API
    else:
        apply_browser_rate_limit(request) # 1000 req/min for forms
    return await call_next(request)

In every pattern above, application/x-www-form-urlencoded+json goes down the non-JSON branch in the middleware (because ct.startswith("application/json") is False), while FastAPI's body parser takes the JSON branch (because the email parser sees +json).

The result: the endpoint receives a fully parsed JSON dict, but the middleware applied the wrong set of rules to get it there.

Concrete impact:

1. Auth requirement bypass (shown in example code above):
Middleware enforces strong auth for application/json requests. Using application/x-www-form-urlencoded+json, a client with only a session cookie can call a JSON API endpoint that requires an admin token. The session auth path has no role check — it was never designed to handle JSON API payloads, only browser form submissions.

2. Input validation middleware bypass:
If application middleware validates the structure or contents of application/json request bodies (e.g., checking for disallowed fields, enforcing field-level business rules before the request reaches the endpoint), those checks are skipped entirely when the same JSON payload arrives with a +json-suffixed content type.

@app.middleware("http")
async def business_rules_middleware(request: Request, call_next):
    ct = request.headers.get("content-type", "")
    if ct.startswith("application/json"):
        body = await request.body()
        data = json.loads(body)
        if data.get("role") in ("admin", "superadmin"):
            return JSONResponse(status_code=403, content={"error": "role escalation not allowed"})
    return await call_next(request)

# Blocked:
# POST /users/  Content-Type: application/json  {"role": "admin"}
# → 403

# Bypassed:
# POST /users/  Content-Type: application/x-www-form-urlencoded+json  {"role": "admin"}
# → 200  (middleware skipped, FastAPI parses JSON, Pydantic accepts it)

3. Unexpected behavior with per-route strict_content_type:
An endpoint decorated with strict_content_type=True correctly rejects requests with no Content-Type. But a request with Content-Type: application/octet-stream+json passes through — strict_content_type only guards the no-Content-Type path, not the +json suffix path.

4. Silent parsing of semantically invalid content types:
A client that accidentally sends Content-Type: application/x-www-form-urlencoded with a JSON body gets a 422. A client that accidentally sends Content-Type: application/x-www-form-urlencoded+json with a JSON body gets a 200. This inconsistency makes debugging hard: the same malformed content type produces different outcomes depending on whether the +json suffix is present.

Content-Type classification inconsistency table

Content-Type	Middleware `ct.startswith("application/json")`	FastAPI body parsing
`application/json`	True	JSON ✓ (consistent)
`application/x-www-form-urlencoded`	False	bytes (consistent)
`application/x-www-form-urlencoded+json`	False	JSON ← inconsistent
`application/octet-stream+json`	False	JSON ← inconsistent
`application/vnd.api+json`	False	JSON (legitimate, but still inconsistent with naive middleware)
`text/plain+json`	False	bytes (safe — maintype check stops it)

Proposed fix

Replace the email.message.Message block with direct string parsing and explicitly reject known non-JSON base subtypes:

# routing.py — replacement for lines 416-422

_NON_JSON_SUBTYPE_BASES: frozenset[str] = frozenset({
    "x-www-form-urlencoded",
    "octet-stream",
    "form-data",
    "pdf",
    "zip",
    "gzip",
    "msword",
})

def _is_json_content_type(content_type: str) -> bool:
    mime_type = content_type.split(";", 1)[0].strip().lower()
    if not mime_type.startswith("application/"):
        return False
    subtype = mime_type[len("application/"):]
    if subtype == "json":
        return True
    if subtype.endswith("+json"):
        base = subtype[: -len("+json")]
        if base in _NON_JSON_SUBTYPE_BASES:
            return False
        return True
    return False

# Replace lines 417-422 with:
if _is_json_content_type(content_type_value):
    json_body = await request.json()

What this changes:

✅ application/json — still JSON (exact match)
✅ application/vnd.api+json, application/ld+json, application/problem+json — still JSON (legitimate structured-syntax types)
✅ application/x-www-form-urlencoded+json — now bytes (was incorrectly JSON)
✅ application/octet-stream+json — now bytes (was incorrectly JSON)
✅ Removes import email.message from the HTTP request handling path entirely

Operating System

Linux

Operating System Details

Linux 6.17.9

FastAPI Version

0.135.1

Pydantic Version

2.12.5

Python Version

3.12.3

Additional Context

Why `email.message.Message` is the wrong tool here

email.message.Message (Python's email stdlib) is designed to parse RFC 2822 message headers — email headers. HTTP Content-Type headers follow RFC 7231, which has different quoting rules, parameter handling, and case-sensitivity semantics. Using the email parser for HTTP headers works for common cases (application/json, application/json; charset=utf-8) but diverges on edge cases like structured syntax suffixes, non-standard parameter quoting, and folded header values.

The simplest correct replacement is direct string manipulation: split at ;, strip, lowercase, check prefix and suffix. No external parser needed.

Note on `strict_content_type`

The existing strict_content_type=True route parameter does not mitigate this issue. It only guards the case where no Content-Type header is present. Once a Content-Type value exists — even application/x-www-form-urlencoded+json — strict_content_type has no effect on the +json suffix detection path.

YuriiMotov · 2026-03-23T17:03:15Z

YuriiMotov
Mar 23, 2026
Collaborator

Just notes for me future:

I think this should be investigated and probably addressed at some point in the future (email.message.Message doesn't comply with RFC 7231), but I don't think this is something urgent as the use case is not common (application/x-www-form-urlencoded+json is semantically invalid)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

`email.message.Message` (RFC 2822 parser) used for HTTP Content-Type detection causes FastAPI to parse `application/x-www-form-urlencoded+json` bodies as JSON, creating inconsistent behavior with application middleware #15201

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

email.message.Message (RFC 2822 parser) used for HTTP Content-Type detection causes FastAPI to parse application/x-www-form-urlencoded+json bodies as JSON, creating inconsistent behavior with application middleware #15201

Uh oh!

subhashdasyam Mar 23, 2026

First Check

Commit to Help

Example Code

What I expected to happen

What is currently happening

Why this creates real problems at the application level

Content-Type classification inconsistency table

Proposed fix

Operating System

Operating System Details

FastAPI Version

Pydantic Version

Python Version

Additional Context

Why email.message.Message is the wrong tool here

Note on strict_content_type

Replies: 1 comment

Uh oh!

YuriiMotov Mar 23, 2026 Collaborator

`email.message.Message` (RFC 2822 parser) used for HTTP Content-Type detection causes FastAPI to parse `application/x-www-form-urlencoded+json` bodies as JSON, creating inconsistent behavior with application middleware #15201

subhashdasyam
Mar 23, 2026

Why `email.message.Message` is the wrong tool here

Note on `strict_content_type`

YuriiMotov
Mar 23, 2026
Collaborator