CVE-2026-25478

MEDIUM EPSS 30.1%
Published Feb 9, 20264mo ago · Modified Feb 17, 20264mo ago
6.5 CVSS 3.1
Medium
Find Similar
Published Feb 9, 2026 4mo ago
Last Modified Feb 17, 2026 4mo ago

Description

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
30.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-942

Affected Products 1

VendorProductVersionRange
litestarlitestar* <2.20.0

References 4

  • docs.litestar.dev https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0
    Release Notes
  • github.com https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a
    Patch
  • github.com https://github.com/litestar-org/litestar/releases/tag/v2.20.0
    Release Notes
  • github.com https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a
    Patch