6.5

CVE-2026-25479

Exploit

EPSS 0.01%
Veröffentlicht 09.02.2026 18:48:19
Zuletzt bearbeitet 17.02.2026 15:14:04
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Litestar ≫ Litestar Version < 2.20.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.018

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-185 Incorrect Regular Expression

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0

Release Notes

https://github.com/litestar-org/litestar/releases/tag/v2.20.0

Release Notes

https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4

Vendor Advisory

Exploit

https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-25479

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25479

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25479

EUVD