CVE-2026-25478
HIGH
GHSA-2p2x-hpg8-cqp2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
4Description
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.
Analysis
Litestar ASGI framework versions before 2.20.0 fail to properly escape regex metacharacters in CORS origin validation, allowing attackers to bypass origin restrictions through crafted malicious origins. This configuration flaw affects cross-origin request filtering and enables unauthorized cross-origin access. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running Litestar and identify those with versions <2.20.0; prioritize public-facing APIs. Within 7 days: Apply vendor patch to 2.20.0 or later on all affected systems, beginning with production environments handling sensitive data. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today