CVE-2024-42370
📋 TL;DR
This CVE describes an environment variable injection vulnerability in Litestar's GitHub Actions workflow that could allow attackers to exfiltration secrets and manipulate repositories. It affects Litestar versions 2.10.0 and prior. The vulnerability exposes the DOCS_PREVIEW_DEPLOY_TOKEN and grants unauthorized write access to issues and pull requests.
💻 Affected Systems
- Litestar
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete repository takeover, secret exfiltration, unauthorized code changes, and potential supply chain compromise through malicious pull requests.
Likely Case
Unauthorized access to repository secrets, creation of malicious issues/pull requests, and potential credential theft from exposed tokens.
If Mitigated
Limited to repository metadata exposure if proper access controls and secret management are implemented.
🎯 Exploit Status
Exploitation requires access to trigger GitHub Actions workflows, typically through repository access or pull requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 84d351e96aaa2a1338006d6e7221eded161f517b
Vendor Advisory: https://github.com/litestar-org/litestar/security/advisories/GHSA-4hq2-rpgc-r8r7
Restart Required: No
Instructions:
1. Update to Litestar version after commit 84d351e96aaa2a1338006d6e7221eded161f517b
2. Replace vulnerable .github/workflows/docs-preview.yml with patched version
3. Rotate any exposed DOCS_PREVIEW_DEPLOY_TOKEN and other repository secrets
🔧 Temporary Workarounds
Disable vulnerable workflow
allTemporarily disable the docs-preview.yml GitHub Actions workflow
Navigate to repository Settings > Actions > Workflow permissions > Disable workflow for .github/workflows/docs-preview.yml
Restrict workflow permissions
allLimit GitHub Actions permissions to read-only where possible
Set repository Settings > Actions > General > Workflow permissions to 'Read repository contents permission'
🧯 If You Can't Patch
- Rotate all repository secrets and access tokens immediately
- Implement strict code review requirements for all pull requests and workflow changes
🔍 How to Verify
Check if Vulnerable:
Check if .github/workflows/docs-preview.yml contains vulnerable environment variable usage patterns from pre-patch versionsCheck Version:
Check Litestar version with: pip show litestar | grep VersionVerify Fix Applied:
Verify workflow file matches patched version from commit 84d351e96aaa2a1338006d6e7221eded161f517b📡 Detection & Monitoring
Log Indicators:
- Unauthorized workflow executions
- Unexpected secret usage in GitHub Actions logs
- Suspicious pull request or issue creation
Network Indicators:
- Unexpected outbound connections from GitHub Actions runners
- Unusual API calls to repository endpoints
SIEM Query:
source="github-actions" AND (event="workflow_run" OR event="pull_request") AND action="completed" AND suspicious_patterns🔗 References
- https://github.com/litestar-org/litestar/actions/runs/10081936962/job/27875077668#step:1:17
- https://github.com/litestar-org/litestar/blob/ffaf5616b19f6f0f4128209c8b49dbcb41568aa2/.github/workflows/docs-preview.yml
- https://github.com/litestar-org/litestar/commit/84d351e96aaa2a1338006d6e7221eded161f517b
- https://github.com/litestar-org/litestar/security/advisories/GHSA-4hq2-rpgc-r8r7
