CVE-2024-42370

Name of the Vulnerable Software and Affected Versions Litestar versions 2.10.0 and prior

Description The issue is related to Environment Variable injection in Litestar's docs-preview.yml workflow, which may lead to secret exfiltration and repository manipulation. This grants a malicious actor permission to write issues, read metadata, and write pull requests. The DOCS PREVIEW DEPLOY TOKEN is also exposed to the attacker. The vulnerability allows an attacker to send a malicious .pr number file, which can define new Environment Variables, including LD PRELOAD, to force the system to load a malicious shared library. This can result in arbitrary code execution when the node command is run.

Recommendations For Litestar versions 2.10.0 and prior, verify the contents of the downloaded artifacts and do not allow new lines in the value redirected to GITHUB ENV. As a temporary workaround, consider restricting access to the docs-preview.yml workflow until a fix is applied. Update to a version that includes the fix, as commit 84d351e96aaa2a1338006d6e7221eded161f517b contains a fix for this issue.