VYPR
← All advisories
High severity8.3NVD Advisory· Published Aug 12, 2024· Updated Apr 15, 2026

CVE-2024-42370

CVE-2024-42370

Description

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In versions 2.10.0 and prior, Litestar's docs-preview.yml workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation. This issue grants a malicious actor the permission to write issues, read metadata, and write pull requests. In addition, the DOCS_PREVIEW_DEPLOY_TOKEN is exposed to the attacker. Commit 84d351e96aaa2a1338006d6e7221eded161f517b contains a fix for this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
litestarPyPI
<= 2.10.0

Patches

1
84d351e96aaa

Merge commit from fork

https://github.com/litestar-org/litestarJacob CoffeeAug 9, 2024via ghsa
commit
2 files changed · +10 5
  • .github/workflows/ci.yml+2 3 modified
    @@ -235,9 +235,8 @@ jobs:
         run: pdm run make docs-linkcheck
 
       - name: Save PR number
-        env:
-          PR_NUMBER: ${{ github.event.number }}
-        run: echo $PR_NUMBER > .pr_number
+        run: |
+          echo "${{ github.event.number }}" > .pr_number
 
       - name: Upload artifact
         uses: actions/upload-artifact@v3
  • .github/workflows/docs-preview.yml+8 2 modified
    @@ -24,8 +24,14 @@ jobs:
           path: docs-preview
           name: docs-preview
 
-      - name: Set PR number
-        run: echo "PR_NUMBER=$(cat docs-preview/.pr_number)" >> $GITHUB_ENV
+      - name: Validate and set PR number
+        run: |
+          PR_NUMBER=$(cat docs-preview/.pr_number)
+          if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
+            echo "Invalid PR number: $PR_NUMBER"
+            exit 1
+          fi
+          echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
 
       - name: Deploy docs preview
         uses: JamesIves/github-pages-deploy-action@v4

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.