{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25478", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T16:31:35.820Z", "datePublished": "2026-02-09T18:46:56.445Z", "dateUpdated": "2026-02-10T16:01:16.807Z"}, "containers": {"cna": {"title": "Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins", "problemTypes": [{"descriptions": [{"cweId": "CWE-942", "lang": "en", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2"}, {"name": "https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a", "tags": ["x_refsource_MISC"], "url": "https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a"}, {"name": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0", "tags": ["x_refsource_MISC"], "url": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0"}, {"name": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0"}], "affected": [{"vendor": "litestar-org", "product": "litestar", "versions": [{"version": "< 2.20.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T18:46:56.445Z"}, "descriptions": [{"lang": "en", "value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0."}], "source": {"advisory": "GHSA-2p2x-hpg8-cqp2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:30:25.275815Z", "id": "CVE-2026-25478", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:01:16.807Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25478", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:30:25.275815Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:30:26.193Z"}}], "cna": {"title": "Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins", "source": {"advisory": "GHSA-2p2x-hpg8-cqp2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "litestar-org", "product": "litestar", "versions": [{"status": "affected", "version": "< 2.20.0"}]}], "references": [{"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2", "name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a", "name": "https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0", "name": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0", "name": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-942", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T18:46:56.445Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25478", "state": "PUBLISHED", "dateUpdated": "2026-02-10T16:01:16.807Z", "dateReserved": "2026-02-02T16:31:35.820Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T18:46:56.445Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:litestar:litestar:*:*:*:*:*:*:*:*", "matchCriteriaId": "67E26161-0CDE-4B8F-A065-04A19BC4CDCB", "versionEndExcluding": "2.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0."}, {"lang": "es", "value": "Litestar es un framework de Interfaz de Pasarela de Servidor As\u00edncrono (ASGI). Antes de la versi\u00f3n 2.20.0, CORSConfig.allowed_origins_regex se construye utilizando una expresi\u00f3n regular (regex) creada a partir de los valores de la lista de permitidos (allowlist) configurados y se usa con fullmatch() para la validaci\u00f3n. Debido a que los metacaracteres no se escapan, un origen malicioso puede coincidir de forma inesperada. La comprobaci\u00f3n se basa en allowed_origins_regex.fullmatch(origin). Esta vulnerabilidad se corrige en la versi\u00f3n 2.20.0."}], "id": "CVE-2026-25478", "lastModified": "2026-02-17T15:15:29.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-09T20:15:57.017", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-942"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.20.0)"}}], "product": "litestar", "vendor": "litestar-org"}], "analysis": {"en": {"generated_at": "2026-04-18T18:15:04.851826+00:00", "value": {"mitigation_remediation": ["Upgrade to Litestar 2.20.0 or newer to apply the fixed regex handling.", "If an upgrade is not immediately possible, reconfigure CORS to avoid the regex allowlist; for example, use the explicit allowed_origins list or escape all origins before constructing the regular expression.", "Review any custom CORS handling code to ensure that the Origin header is validated against a strict whitelist and that regex metacharacters are properly escaped."], "summary": {"action": "Patch", "impact": "Cross-Origin Resource Sharing (CORS) allowlist bypass"}, "threat_synthesis": {"affected_systems": "The Litestar ASGI framework, developed by litestar-org, is affected. All releases prior to 2.20.0 contain the unescaped regex logic and are vulnerable. The issue is fixed in version 2.20.0 and subsequent releases.", "description_and_impact": "Litestar versions older than 2.20.0 build a regular expression from the configured allowlist values without escaping metacharacters, and this expression is used with fullmatch() to validate the Origin header. Because special characters are not escaped, a malicious Origin value can match the resulting regex and be treated as an allowed origin. This flaw permits an attacker to trick the application into accepting requests from an arbitrary origin, effectively bypassing the intended CORS policy and potentially exposing the application to cross-origin data leakage. This is a CWE-942 vulnerability, indicating improper neutralization of special elements in a regex.", "risk_and_exploitability": "The CVSS score of 7.4 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the flaw is not listed in CISA\u2019s KEV catalog. The likely attack vector is client-side: an attacker must craft a request with a malformed Origin header that satisfies the flawed regex. If successful, the attacker can make the server accept cross-origin requests from an origin that is not on the intended allowlist, thereby bypassing the CORS policy. Given the high severity and the low current exploitation likelihood, organizations should treat this as a high\u2011risk issue until a patch is applied."}}}}, "created": "2026-02-10T16:26:54.341863+00:00", "updated": "2026-04-18T18:15:06.625230+00:00", "vendors": ["litestar-org", "litestar-org$PRODUCT$litestar"]}