Description
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.
Published: 2026-02-09
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Origin Resource Sharing (CORS) allowlist bypass
Action: Patch
AI Analysis

Impact

Litestar versions older than 2.20.0 build a regular expression from the configured allowlist values without escaping metacharacters, and this expression is used with fullmatch() to validate the Origin header. Because special characters are not escaped, a malicious Origin value can match the resulting regex and be treated as an allowed origin. This flaw permits an attacker to trick the application into accepting requests from an arbitrary origin, effectively bypassing the intended CORS policy and potentially exposing the application to cross-origin data leakage. This is a CWE-942 vulnerability, indicating improper neutralization of special elements in a regex.

Affected Systems

The Litestar ASGI framework, developed by litestar-org, is affected. All releases prior to 2.20.0 contain the unescaped regex logic and are vulnerable. The issue is fixed in version 2.20.0 and subsequent releases.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the flaw is not listed in CISA’s KEV catalog. The likely attack vector is client-side: an attacker must craft a request with a malformed Origin header that satisfies the flawed regex. If successful, the attacker can make the server accept cross-origin requests from an origin that is not on the intended allowlist, thereby bypassing the CORS policy. Given the high severity and the low current exploitation likelihood, organizations should treat this as a high‑risk issue until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 18:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Litestar 2.20.0 or newer to apply the fixed regex handling.
  • If an upgrade is not immediately possible, reconfigure CORS to avoid the regex allowlist; for example, use the explicit allowed_origins list or escape all origins before constructing the regular expression.
  • Review any custom CORS handling code to ensure that the Origin header is validated against a strict whitelist and that regex metacharacters are properly escaped.

Generated by OpenCVE AI on April 18, 2026 at 18:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2p2x-hpg8-cqp2 Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins
History

Tue, 17 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Litestar
Litestar litestar
CPEs cpe:2.3:a:litestar:litestar:*:*:*:*:*:*:*:*
Vendors & Products Litestar
Litestar litestar

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Litestar-org
Litestar-org litestar
Vendors & Products Litestar-org
Litestar-org litestar

Mon, 09 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.
Title Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins
Weaknesses CWE-942
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

Litestar Litestar
Litestar-org Litestar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:01:16.807Z

Reserved: 2026-02-02T16:31:35.820Z

Link: CVE-2026-25478

cve-icon Vulnrichment

Updated: 2026-02-10T15:30:26.193Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:57.017

Modified: 2026-02-17T15:15:29.523

Link: CVE-2026-25478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses