PT-2025-34323 · Pypi · Litestar
Published
2025-08-11
·
Updated
2025-08-11
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
Summary
Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or
log exceptions is set to "always", which allows attackers to inject newlines and forge log entries.Details
Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler.
Attackers can inject newlines in logs by embedding
%0d%0a in url path.log exceptions="always" is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs.PoC
curl "http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:8192%20-%20%22POST%20/login%20HTTP/1.1%22%20200%20OK%0D%0A%28"logging:
2025-07-15 00:00:00 - litestar - ERROR - Uncaught exception (connection type=http, path=/)
INFO: 127.0.0.1:8192 - "POST /login HTTP/1.1" 200 OK
...If stacktracks for 404 are configured to be ignored (
disable stack trace={404},), attacker may also exploit this by sending malformed requests to cause 400/500 exceptions and avoid 404 in endpoints with str path parameters.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Litestar