Platform
python
Component
litestar-org/litestar
Fixed in
2.8.1
1.37.1
2.7.1
2.0.1
CVE-2024-32982 describes a Path Traversal vulnerability discovered in Litestar, an Asynchronous Server Gateway Interface (ASGI) framework. This flaw allows attackers to bypass intended access restrictions and retrieve sensitive files from the server. The vulnerability impacts versions 2.0.0 through 2.8.2, excluding 2.8.3. A fix is available in version 2.8.3.
The core of this vulnerability lies in the static file serving component of Litestar. Attackers can leverage path traversal techniques, such as using sequences like ../, to navigate outside the intended static file directories. This unauthorized access can expose sensitive configuration files, source code, or other critical data stored on the server. Successful exploitation could lead to information disclosure, potentially enabling further attacks, such as privilege escalation or remote code execution if sensitive credentials or scripts are exposed. The blast radius extends to any data accessible through the server's file system, depending on the attacker's ability to manipulate file paths.
CVE-2024-32982 was publicly disclosed on May 6, 2024. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the relatively simple nature of path traversal vulnerabilities, increasing the risk of exploitation.
Exploit Status
EPSS
0.23% (45% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-32982 is to upgrade to Litestar version 2.8.3 or later, which contains the fix for the path traversal vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. These may include restricting access to the static file serving endpoint using a Web Application Firewall (WAF) or proxy server, configuring strict file access controls on the server, and carefully reviewing the file paths used in the application to ensure they are properly sanitized. Monitor access logs for suspicious file requests containing path traversal sequences. After upgrading, confirm the fix by attempting a path traversal attack on the static file serving endpoint and verifying that access is denied.
Actualice Litestar a la versión 2.8.3, 2.7.2 o 2.6.4, o superior. Esto corrige la vulnerabilidad de path traversal en el componente de servicio de archivos estáticos. La actualización previene el acceso no autorizado a archivos sensibles fuera de los directorios designados.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-32982 is a Path Traversal vulnerability affecting Litestar versions 2.0.0–>= 2.8.0 < 2.8.3, allowing attackers to access sensitive files outside designated directories.
You are affected if you are using Litestar versions 2.0.0 through 2.8.2 (excluding 2.8.3).
Upgrade to Litestar version 2.8.3 or later to remediate the vulnerability. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
There is currently no indication of active exploitation campaigns, but public PoCs are likely to emerge.
Refer to the Litestar project's security advisories and release notes for the official announcement and details: [https://litestar.dev/](https://litestar.dev/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.