GHSA-674p-xv2x-rf3g: 
Python vulnerability analysis and mitigation

A log injection vulnerability was discovered in Litestar (GHSA-674p-xv2x-rf3g) affecting versions 2.16.0 and earlier, where the application fails to properly escape URL paths when logging exceptions. The vulnerability was published and reviewed on August 11, 2025, and has been patched in version 2.17.0. This security flaw primarily affects systems where the logging level is set to debug or when log_exceptions is configured to 'always' (GitHub Advisory).

The vulnerability stems from Litestar's default exception logging handler directly formatting unquoted paths into exception logs without proper validation or escaping. The issue has been assigned a CVSS score of 3.7 (Low severity) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-117 (Improper Output Neutralization for Logs) (GitHub Advisory).

When exploited, attackers can inject newlines into logs by embedding %0d%0a in the URL path, allowing them to forge log entries. While log_exceptions='always' is not enabled by default, the vulnerability becomes particularly concerning as this configuration is included in the documentation examples, making it likely that users who copy the logging config directly from the documentation would be affected (GitHub Advisory).

The vulnerability has been patched in Litestar version 2.17.0. Users are advised to upgrade to this version or later to address the security issue. The fix involves properly escaping the path parameter in the exception logging handler, as evidenced by the code changes that modify the logging format string to use %r instead of %s (Litestar Commit).