CVE-2026-25479
- Source
- https://cve.org/CVERecord?id=CVE-2026-25479
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25479.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25479
- Aliases
- Published
- 2026-02-09T18:48:19.971Z
- Modified
- 2026-03-01T02:57:14.773998Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns
- Details
-
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-185" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25479.json" }- References
-
- https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25479.json
- https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace
- https://github.com/litestar-org/litestar/releases/tag/v2.20.0
- https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4
- https://nvd.nist.gov/vuln/detail/CVE-2026-25479
Affected packages
Git / github.com/litestar-org/litestar
Affected ranges
- Type
- GIT
- Repo
- https://github.com/litestar-org/litestar
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.7.2
v0.*
v0.0.1a
v0.1.0
v0.1.0b1
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.6.0
v0.7.0
v0.7.1
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.1.0
v1.1.1
v1.10.0
v1.10.1
v1.11.0
v1.11.1
v1.12.0
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.17.1
v1.17.2
v1.18.0
v1.18.1
v1.19.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.20.0
v1.21.0
v1.21.1
v1.21.2
v1.22.0
v1.23.0
v1.23.1
v1.24.0
v1.25.0
v1.26.0
v1.26.1
v1.27.0
v1.28.0
v1.28.1
v1.29.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.30.0
v1.31.0
v1.32.0
v1.33.0
v1.34.0
v1.35.0
v1.35.1
v1.36.0
v1.37.0
v1.38.0
v1.39.0
v1.4.0
v1.4.1
v1.4.2
v1.40.0
v1.40.1
v1.41.0
v1.42.0
v1.43.0
v1.43.1
v1.44.0
v1.45.0
v1.45.1
v1.46.0
v1.47.0
v1.48.0
v1.48.1
v1.49.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.50.0
v1.50.1
v1.50.2
v1.51.0
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.8.1
v1.9.0
v1.9.1
v2.*
v2.0.0
v2.0.0alpha1
v2.0.0alpha2
v2.0.0alpha3
v2.0.0alpha4
v2.0.0alpha5
v2.0.0alpha6
v2.0.0alpha7
v2.0.0beta1
v2.0.0beta2
v2.0.0beta3
v2.0.0beta4
v2.0.0rc1
v2.1.0
v2.1.1
v2.10.0
v2.11.0
v2.12.0
v2.12.1
v2.13.0
v2.14.0
v2.15.0
v2.15.1
v2.15.2
v2.16.0
v2.17.0
v2.18.0
v2.19.0
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.1
v2.8.0
v2.9.0