GHSA-674p-xv2x-rf3g

Source

https://github.com/advisories/GHSA-674p-xv2x-rf3g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-674p-xv2x-rf3g/GHSA-674p-xv2x-rf3g.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-674p-xv2x-rf3g

Published

2025-08-11T23:07:36Z

Modified

2025-08-11T23:34:07.984502Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Litestar has potential log injection in exception logging

Details

Summary

Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or log_exceptions is set to "always", which allows attackers to inject newlines and forge log entries.

Details

Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler.

https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150

Attackers can inject newlines in logs by embedding%0d%0a in url path.

log_exceptions="always" is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs.

PoC

curl "http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:8192%20-%20%22POST%20/login%20HTTP/1.1%22%20200%20OK%0D%0A%28"

logging:

2025-07-15 00:00:00 - litestar - ERROR - Uncaught exception (connection_type=http, path=/)
INFO:     127.0.0.1:8192 - "POST /login HTTP/1.1" 200 OK
...

If stacktracks for 404 are configured to be ignored (disable_stack_trace={404},), attacker may also exploit this by sending malformed requests to cause 400/500 exceptions and avoid 404 in endpoints with str path parameters.

Database specific

{
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-11T23:07:36Z",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-117"
    ]
}

References

Affected packages

PyPI / litestar

Package

Name: litestar; View open source insights on deps.dev
Purl: pkg:pypi/litestar

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.17.0

Affected versions

1.*

1.0.0a0

2.*

2.0.0a3

2.0.0a4

2.0.0a5

2.0.0a6

2.0.0a7

2.0.0b1

2.0.0b2

2.0.0b3

2.0.0b4

2.0.0rc1

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.2.1

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.7.0

2.7.1

2.7.2

2.8.0

2.8.1

2.8.2

2.8.3

2.9.0

2.9.1

2.10.0

2.11.0

2.12.0

2.12.1

2.13.0

2.14.0

2.15.0

2.15.1

2.15.2

2.16.0

Database specific

{
    "last_known_affected_version_range": "<= 2.16.0"
}