How severe is GHSA-674p-xv2x-rf3g?

GHSA-674p-xv2x-rf3g has a CVSS score of 3.7/10, rated LOW. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-674p-xv2x-rf3g?

GHSA-674p-xv2x-rf3g affects the following packages: litestar (PyPI). Ecosystems affected: PyPI.

How do I fix GHSA-674p-xv2x-rf3g?

Update litestar to 2.17.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-674p-xv2x-rf3g is resolved across your whole dependency graph.

How do I detect GHSA-674p-xv2x-rf3g in my PyPI dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for litestar. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-674p-xv2x-rf3g if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-674p-xv2x-rf3g?

O3 pinpoints whether GHSA-674p-xv2x-rf3g is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-674p-xv2x-rf3g actively exploited in the wild?

No public exploit code has been indexed for GHSA-674p-xv2x-rf3g yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-674p-xv2x-rf3g published, and has it been updated?

GHSA-674p-xv2x-rf3g was published on August 11, 2025 and was last updated on August 12, 2025. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐍 PyPI

GHSA-674p-xv2x-rf3g

LOW

Litestar has potential log injection in exception logging

Published

Aug 11, 2025

Updated

Aug 12, 2025

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

Blast Radius

1 pkg affected

🐍litestar

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.

Description

Summary

Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or log_exceptions is set to "always", which allows attackers to inject newlines and forge log entries.

Details

Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler.

https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150

Attackers can inject newlines in logs by embedding%0d%0a in url path.

log_exceptions="always" is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs.

PoC

curl "http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:8192%20-%20%22POST%20/login%20HTTP/1.1%22%20200%20OK%0D%0A%28"

logging:

2025-07-15 00:00:00 - litestar - ERROR - Uncaught exception (connection_type=http, path=/)
INFO:     127.0.0.1:8192 - "POST /login HTTP/1.1" 200 OK
...

If stacktracks for 404 are configured to be ignored (disable_stack_trace={404},), attacker may also exploit this by sending malformed requests to cause 400/500 exceptions and avoid 404 in endpoints with str path parameters.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐍PyPI	`litestar`	all versions	2.17.0

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for litestar. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update litestar to 2.17.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-674p-xv2x-rf3g is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-674p-xv2x-rf3g is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-674p-xv2x-rf3g. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or `log_exceptions` is set to "always", which allows attackers to inject newlines and forge log entries. ### Details Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler. https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150 Attackers can inject newlines in logs by embedding`%0d%0a`

O3 Security · Impact-Aware SCA

Is GHSA-674p-xv2x-rf3g in your dependencies?

O3 detects GHSA-674p-xv2x-rf3g across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works