{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25479", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T16:31:35.821Z", "datePublished": "2026-02-09T18:48:19.971Z", "dateUpdated": "2026-02-10T16:01:11.941Z"}, "containers": {"cna": {"title": "Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns", "problemTypes": [{"descriptions": [{"cweId": "CWE-185", "lang": "en", "description": "CWE-185: Incorrect Regular Expression", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4"}, {"name": "https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace", "tags": ["x_refsource_MISC"], "url": "https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace"}, {"name": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0", "tags": ["x_refsource_MISC"], "url": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0"}, {"name": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0"}], "affected": [{"vendor": "litestar-org", "product": "litestar", "versions": [{"version": "< 2.20.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T18:48:19.971Z"}, "descriptions": [{"lang": "en", "value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0."}], "source": {"advisory": "GHSA-93ph-p7v4-hwh4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:39:53.590127Z", "id": "CVE-2026-25479", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:01:11.941Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25479", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:39:53.590127Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:39:54.271Z"}}], "cna": {"title": "Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns", "source": {"advisory": "GHSA-93ph-p7v4-hwh4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "litestar-org", "product": "litestar", "versions": [{"status": "affected", "version": "< 2.20.0"}]}], "references": [{"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4", "name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace", "name": "https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0", "name": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0", "name": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-185", "description": "CWE-185: Incorrect Regular Expression"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T18:48:19.971Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25479", "state": "PUBLISHED", "dateUpdated": "2026-02-10T16:01:11.941Z", "dateReserved": "2026-02-02T16:31:35.821Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T18:48:19.971Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:litestar:litestar:*:*:*:*:*:*:*:*", "matchCriteriaId": "67E26161-0CDE-4B8F-A065-04A19BC4CDCB", "versionEndExcluding": "2.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0."}, {"lang": "es", "value": "Litestar es un framework de Interfaz de Pasarela de Servidor As\u00edncrono (ASGI). Antes de la 2.20.0, en litestar.middleware.allowed_hosts, las entradas de la lista de permitidos se compilan en patrones de expresiones regulares de una manera que permite que los metacaracteres de expresiones regulares conserven un significado especial (por ejemplo, . coincide con cualquier car\u00e1cter). Esto permite una omisi\u00f3n donde un atacante proporciona un host que coincide con la expresi\u00f3n regular pero no es el nombre de host literal previsto. Esta vulnerabilidad se corrige en la 2.20.0."}], "id": "CVE-2026-25479", "lastModified": "2026-02-17T15:14:04.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T20:15:57.177", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-185"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.20.0)"}}], "product": "litestar", "vendor": "litestar-org"}], "analysis": {"en": {"generated_at": "2026-04-17T21:18:41.975371+00:00", "value": {"mitigation_remediation": ["Upgrade Litestar to version 2.20.0 or later to apply the fixed regex handling logic.", "Review and simplify any custom host allowlist configurations to use plain string patterns rather than regexes.", "Deploy a reverse proxy or firewall rule that enforces strict host header validation before traffic reaches the application."], "summary": {"action": "Patch", "impact": "Bypass of host header validation"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all releases of the Litestar framework before version 2.20.0. Systems running Litestar 2.19.x or earlier are affected; the fix was delivered in release 2.20.0.", "description_and_impact": "Litestar allows unsafe regex compilation of host allowlist entries, letting malicious regex metacharacters interpret intended literal hostnames as pattern matches. An attacker can supply a Host header that matches the compiled regex but is not the desired hostname, bypassing the framework\u2019s trust boundary. This permits the attacker to send requests with arbitrary host values that the application will treat as legitimate, potentially enabling host header injection, request forgery, or traffic spoofing within the application\u2019s routing logic.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity. The EPSS probability is defined as less than 1\u202f%, showing that exploitation is expected to be rare. This issue is not listed in the CISA KEV catalog. Exploitation requires only the ability to send HTTP requests with a crafted Host header, so the attack vector is network\u2011based and does not need authenticated access. Once the host header bypass is achieved, the attacker may target request handling procedures that rely on the Host value. Given the moderate severity and low EPSS, the overall risk is moderate but warrants prompt patching because the ability to forge host values can lead to unforeseen application behavior or escalation of other vulnerabilities."}}}}, "created": "2026-02-10T16:26:53.571808+00:00", "updated": "2026-04-17T21:30:28.384862+00:00", "vendors": ["litestar-org", "litestar-org$PRODUCT$litestar"]}