logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-674p-xv2x-rf3g litestar

Package

Manager: pip
Name: litestar
Vulnerable Version: >=0 <2.17.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Litestar has potential log injection in exception logging ### Summary Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or `log_exceptions` is set to "always", which allows attackers to inject newlines and forge log entries. ### Details Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler. https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150 Attackers can inject newlines in logs by embedding`%0d%0a` in url path. `log_exceptions="always"` is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs. ### PoC ``` curl "http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:8192%20-%20%22POST%20/login%20HTTP/1.1%22%20200%20OK%0D%0A%28" ``` logging: ``` 2025-07-15 00:00:00 - litestar - ERROR - Uncaught exception (connection_type=http, path=/) INFO: 127.0.0.1:8192 - "POST /login HTTP/1.1" 200 OK ... ``` If stacktracks for 404 are configured to be ignored (`disable_stack_trace={404},`), attacker may also exploit this by sending malformed requests to cause 400/500 exceptions and avoid 404 in endpoints with str path parameters.

Metadata

Created: 2025-08-11T23:07:36Z
Modified: 2025-08-11T23:07:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-674p-xv2x-rf3g/GHSA-674p-xv2x-rf3g.json
CWE IDs: ["CWE-117"]
Alternative ID: N/A
Finding: F091
Auto approve: 1