CVE-2026-25479

MEDIUM EPSS 23.3%
Published Feb 9, 20264mo ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Feb 9, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.

CVSS Details

Base Score
6.5
Exploitability
3.9
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
23.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-185

Affected Products 1

VendorProductVersionRange
litestarlitestar* <2.20.0

References 4

  • docs.litestar.dev https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0
    Release Notes
  • github.com https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace
    Patch
  • github.com https://github.com/litestar-org/litestar/releases/tag/v2.20.0
    Release Notes
  • github.com https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace
    Patch