Discussion about path traversal vulnerability in Litestar versions >1.37.0, fixes and background information

[provinzkraut]

On the 30.04.2024, the Litestar team has been made aware of a vulnerability in the static file handling functionality of Litestar framework, that could allow malicious actors to perform a directory traversal and gain access to files outside the specified base directory. Together with reporting security researcher Brian Edgar Ré, we have created a fix for all current Litestar minor / major releases (1.51, 2.6, 2.7, 2.8) which have
been released simultaneously on 06.05.2024.

The patched versions are:

• 1.51.16
• 2.6.4
• 2.7.2
• 2.8.3

It is highly recommended that you upgrade your application to any of those versions as soon as possible. Should you not be able to perform such an upgrade, or should you rely on an unsupported version for which a fix has not been released, please contact us privately on our official Discord or via E-Mail under [email protected], so we can help you resolve this issue.

Who is affected?

Anyone running a Litestar version after 1.37.0 and prior to 2.8.3 not included in the list of patched versions above and that's making use of StaticFilesConfig or create_static_files_router.

What is the impact on my application?

The impact on your application depends largely on your deployment environment. Since
this vulnerability allows the extraction of files, it can be prevented by standard operational security practices such as running your application without privileged access to sensitive files.

What do I need to do?

If you have an up-to-date Litestar installation, all you need to do is update to the latest available patch release. If you are on a minor version that has not received a patch, you should be able to upgrade to a patched minor version, as there are no breaking changes between minor Litestar versions.

Background and further action

Bugs happen, and so do bugs that lead to vulnerabilities. While we strive for perfection, we have to accept this as an unfortunate given in software development. However, when it does happen, we take the time to review the development process to ensure appropriate measures are taken to reduce the likelihood of such a bug making it into production. After the initial work of closing the vulnerability and coordinating the disclosure process, we have done this examination and, in the interest of full transparency, want to share our post-mortem findings here.

How did this happen?

The vulnerability was introduced during a period marked by a high volume and velocity of change, as we transitioned away from our dependency on Starlette. We are particularly concerned that, at a time when thorough code review is most critical, the pull request did not receive an adequate level of scrutiny before it was merged. While we are confident that we have matured beyond the culture that allowed such rapid change and lack of oversight, we recognize our responsibility to ensure the integrity of the code base as it currently stands.

What is going to happen next

To ensure that Litestar is as secure and stable as we can make it, we have decided that, for the time being, we are going to shift our focus from the development of the upcoming version 3.0, and instead re-examine the existing Litestar code for security issues and potential vulnerabilities, specifically focusing on changes made between version 1.51 and 2.0.

Additionally, we are looking into having Litestar's security audited by an independent 3rd party.

At the moment there is no clear timeline of how this will affect the release of the 3.0 version, but we believe that ensuring the quality and security of the existing codebase is paramount to developing new features, however exciting they may be.

We will keep you updated about the proceedings, and should you have any questions, you can reach out to us via the regular channels (official Discord, [email protected]), or join us at our next office hours on 10.05.2024, 17:00 UTC on the Discord, where we will be answering questions and talk about current development.