GHSA-674P-XV2X-RF3G

Vulnerability from github – Published: 2025-08-11 23:07 – Updated: 2025-08-11 23:07
VLAI
Summary
Litestar has potential log injection in exception logging
Details

Summary

Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or log_exceptions is set to "always", which allows attackers to inject newlines and forge log entries.

Details

Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler.

https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150

Attackers can inject newlines in logs by embedding%0d%0a in url path.

log_exceptions="always" is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs.

PoC

curl "http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:8192%20-%20%22POST%20/login%20HTTP/1.1%22%20200%20OK%0D%0A%28"

logging:

2025-07-15 00:00:00 - litestar - ERROR - Uncaught exception (connection_type=http, path=/)
INFO:     127.0.0.1:8192 - "POST /login HTTP/1.1" 200 OK
...

If stacktracks for 404 are configured to be ignored (disable_stack_trace={404},), attacker may also exploit this by sending malformed requests to cause 400/500 exceptions and avoid 404 in endpoints with str path parameters.

Severity
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.16.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "litestar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-11T23:07:36Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\n\nLitestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or `log_exceptions` is set to \"always\", which allows attackers to inject newlines and forge log entries.\n\n### Details\n\nLitestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler.\n\nhttps://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150\n\nAttackers can inject newlines in logs by embedding`%0d%0a` in url path.\n\n`log_exceptions=\"always\"` is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs.\n\n### PoC\n\n```\ncurl \"http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:8192%20-%20%22POST%20/login%20HTTP/1.1%22%20200%20OK%0D%0A%28\"\n```\n\nlogging:\n\n```\n2025-07-15 00:00:00 - litestar - ERROR - Uncaught exception (connection_type=http, path=/)\nINFO:     127.0.0.1:8192 - \"POST /login HTTP/1.1\" 200 OK\n...\n```\n\nIf stacktracks for 404 are configured to be ignored (`disable_stack_trace={404},`), attacker may also exploit this by sending malformed requests to cause 400/500 exceptions and avoid 404 in endpoints with str path parameters.",
  "id": "GHSA-674p-xv2x-rf3g",
  "modified": "2025-08-11T23:07:36Z",
  "published": "2025-08-11T23:07:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-674p-xv2x-rf3g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/commit/03b5813d4f448dd710af9ba6252d798cb9fc087f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/litestar-org/litestar"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Litestar has potential log injection in exception logging"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.