Log Injection
Description
Uvicorn request logger is vulnerable to ANSI escape sequence injection via crafted URLs, allowing log pollution and potential terminal interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Uvicorn request logger is vulnerable to ANSI escape sequence injection via crafted URLs, allowing log pollution and potential terminal interaction.
Vulnerability
Uvicorn's request logger is vulnerable to ANSI escape sequence injection. When an HTTP request is received, uvicorn logs the URL after decoding percent-encoded characters using urllib.parse.unquote. This allows attackers to inject ANSI escape sequences by crafting URLs with percent-encoded escape codes [1][3]. The issue affects all versions of uvicorn prior to 0.11.7.
Exploitation
An attacker can send a specially crafted HTTP request containing percent-encoded ANSI sequences in the URL path. These sequences are decoded and logged. No authentication is required, and the attacker only needs network access to the uvicorn server [1][3]. The exploit is straightforward, as demonstrated in public proof-of-concept examples [3].
Impact
Successful exploitation pollutes access logs, compromising their integrity. More critically, if logs are displayed in a terminal emulator that interprets ANSI escape codes, the injected sequences could be used to execute arbitrary commands, potentially leading to further compromise [1][3].
Mitigation
The vulnerability is fixed in uvicorn version 0.11.7. Users should upgrade to this version or later. As a workaround, consider disabling the request logger or sanitizing log output before rendering [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
uvicornPyPI | < 0.11.7 | 0.11.7 |
Affected products
2- uvicorn/uvicorndescription
Patches
1895807f94ea9Quote path component before logging (#724)
2 files changed · +8 −4
uvicorn/logging.py+4 −3 modified@@ -1,6 +1,7 @@ import http import logging import sys +import urllib from copy import copy import click @@ -77,14 +78,14 @@ def get_client_addr(self, scope): return "%s:%d" % (client[0], client[1]) def get_path(self, scope): - return scope.get("root_path", "") + scope["path"] + return urllib.parse.quote(scope.get("root_path", "") + scope["path"]) def get_full_path(self, scope): path = scope.get("root_path", "") + scope["path"] query_string = scope.get("query_string", b"").decode("ascii") if query_string: - return path + "?" + query_string - return path + return urllib.parse.quote(path) + "?" + query_string + return urllib.parse.quote(path) def get_status_code(self, record): status_code = record.__dict__["status_code"]
uvicorn/protocols/utils.py+4 −1 modified@@ -1,4 +1,5 @@ import socket +import urllib def get_remote_addr(transport): @@ -49,7 +50,9 @@ def get_client_addr(scope): def get_path_with_query_string(scope): - path_with_query_string = scope.get("root_path", "") + scope["path"] + path_with_query_string = urllib.parse.quote( + scope.get("root_path", "") + scope["path"] + ) if scope["query_string"]: path_with_query_string = "{}?{}".format( path_with_query_string, scope["query_string"].decode("ascii")
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-33c7-2mpw-hg34ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7694ghsaADVISORY
- github.com/encode/uvicorn/commit/895807f94ea9a8e588605c12076b7d7517cda503ghsaWEB
- github.com/encode/uvicorn/issues/723ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/uvicorn/PYSEC-2020-150.yamlghsaWEB
- snyk.io/vuln/SNYK-PYTHON-UVICORN-575560ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.