GHSA-674p-xv2x-rf3g
Litestar has potential log injection in exception logging
Details
### Summary
Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or `log_exceptions` is set to "always", which allows attackers to inject newlines and forge log entries.
### Details
Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler.
https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150
Attackers can inject newlines in logs by embedding`%0d%0a` in url path.
`log_exceptions="always"` is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs.
### PoC
``` curl "http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:8192%20-%20%22POST%20/login%20HTTP/1.1%22%20200%20OK%0D%0A%28" ```
logging:
``` 2025-07-15 00:00:00 - litestar - ERROR - Uncaught exception (connection_type=http, path=/) INFO: 127.0.0.1:8192 - "POST /login HTTP/1.1" 200 OK ... ```
If stacktracks for 404 are configured to be ignored (`disable_stack_trace={404},`), attacker may also exploit this by sending malformed requests to cause 400/500 exceptions and avoid 404 in endpoints with str path parameters.
Are you affected?
Enter the version of the package you're using.