litestar 2.5.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the litestar package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Reliance on Untrusted Inputs in a Security Decision litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision due to the use of `X-Forwarded-For` header in the `cache_key_from_request` function. An attacker can circumvent rate limiting by sending requests with varying `X-Forwarded-For` header values, thereby creating separate rate limit buckets for each spoofed value. How to fix Reliance on Untrusted Inputs in a Security Decision? Upgrade `litestar` to version 2.18.0 or higher.	[,2.18.0)
M Improper Output Neutralization for Logs litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the exception logging process. An attacker can manipulate log files and forge log entries by injecting newline characters into the URL path, which are then improperly handled during exception logging. Note: This is only exploitable if the logging level is set to debug or if `log_exceptions` is configured as "always". How to fix Improper Output Neutralization for Logs? Upgrade `litestar` to version 2.17.0 or higher.	[,2.17.0)
H Allocation of Resources Without Limits or Throttling litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of size limits or size checks when reading the request body into memory via await `self.body()`. Note: All Litestar applications that process `json`, `msgpack` or `form-data` submission requests are affected How to fix Allocation of Resources Without Limits or Throttling? Upgrade `litestar` to version 2.13.0 or higher.	[,2.13.0)
H Path Traversal litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework Affected versions of this package are vulnerable to Path Traversal through the static content serving function. An attacker can gain unauthorized access to sensitive files outside the designated directories by exploiting path traversal flaws in the file path handling mechanism. Notes: From versions 0.X.X through 1.X.X, the package was released under the name "starlite." Starting with version 2.0.0 and for all subsequent versions, the package has been rebranded and released under the name "litestar." How to fix Path Traversal? Upgrade `litestar` to version 2.6.4, 2.7.2, 2.8.3 or higher.	[2.0.0,2.6.4)[2.7.0,2.7.2)[2.8.0,2.8.3)

Vulnerability

Vulnerable Version

Reliance on Untrusted Inputs in a Security Decision

litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework

Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision due to the use of X-Forwarded-For header in the cache_key_from_request function. An attacker can circumvent rate limiting by sending requests with varying X-Forwarded-For header values, thereby creating separate rate limit buckets for each spoofed value.

How to fix Reliance on Untrusted Inputs in a Security Decision?

Upgrade litestar to version 2.18.0 or higher.

[,2.18.0)

Improper Output Neutralization for Logs

litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the exception logging process. An attacker can manipulate log files and forge log entries by injecting newline characters into the URL path, which are then improperly handled during exception logging.

Note:

This is only exploitable if the logging level is set to debug or if log_exceptions is configured as "always".

How to fix Improper Output Neutralization for Logs?

Upgrade litestar to version 2.17.0 or higher.

[,2.17.0)

Allocation of Resources Without Limits or Throttling

litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of size limits or size checks when reading the request body into memory via await self.body().

Note: All Litestar applications that process json, msgpack or form-data submission requests are affected

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade litestar to version 2.13.0 or higher.

[,2.13.0)

Path Traversal

litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework

Affected versions of this package are vulnerable to Path Traversal through the static content serving function. An attacker can gain unauthorized access to sensitive files outside the designated directories by exploiting path traversal flaws in the file path handling mechanism.

Notes:

From versions 0.X.X through 1.X.X, the package was released under the name "starlite."
Starting with version 2.0.0 and for all subsequent versions, the package has been rebranded and released under the name "litestar."

How to fix Path Traversal?

Upgrade litestar to version 2.6.4, 2.7.2, 2.8.3 or higher.

[2.0.0,2.6.4)[2.7.0,2.7.2)[2.8.0,2.8.3)

litestar@2.5.4 vulnerabilities

Litestar - A production-ready, highly performant, extensible ASGI API Framework

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically