6.5

CVE-2026-25479

Exploit

Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LitestarLitestar Version < 2.20.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.32% 0.23
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-185 Incorrect Regular Expression

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0
Release Notes
https://github.com/litestar-org/litestar/releases/tag/v2.20.0
Release Notes
https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4
Vendor Advisory
Exploit
https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace
Patch