PYSEC-2026-2195

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/litestar/PYSEC-2026-2195.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2195
Aliases
Published
2026-02-09T20:15:57.017Z
Modified
2026-07-13T07:15:26.781903108Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowedoriginsregex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowedoriginsregex.fullmatch(origin). This vulnerability is fixed in 2.20.0.

References

Affected packages

PyPI / litestar

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.20.0

Affected versions

1.*
1.0.0a0
2.*
2.0.0a3
2.0.0a4
2.0.0a5
2.0.0a6
2.0.0a7
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0b4
2.0.0rc1
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.7.0
2.7.1
2.7.2
2.8.0
2.8.1
2.8.2
2.8.3
2.9.0
2.9.1
2.10.0
2.11.0
2.12.0
2.12.1
2.13.0
2.14.0
2.15.0
2.15.1
2.15.2
2.16.0
2.17.0
2.18.0
2.19.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/litestar/PYSEC-2026-2195.yaml"