Description
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.
Published: 2026-02-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass of host header validation
Action: Patch
AI Analysis

Impact

Litestar allows unsafe regex compilation of host allowlist entries, letting malicious regex metacharacters interpret intended literal hostnames as pattern matches. An attacker can supply a Host header that matches the compiled regex but is not the desired hostname, bypassing the framework’s trust boundary. This permits the attacker to send requests with arbitrary host values that the application will treat as legitimate, potentially enabling host header injection, request forgery, or traffic spoofing within the application’s routing logic.

Affected Systems

The vulnerability is present in all releases of the Litestar framework before version 2.20.0. Systems running Litestar 2.19.x or earlier are affected; the fix was delivered in release 2.20.0.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS probability is defined as less than 1 %, showing that exploitation is expected to be rare. This issue is not listed in the CISA KEV catalog. Exploitation requires only the ability to send HTTP requests with a crafted Host header, so the attack vector is network‑based and does not need authenticated access. Once the host header bypass is achieved, the attacker may target request handling procedures that rely on the Host value. Given the moderate severity and low EPSS, the overall risk is moderate but warrants prompt patching because the ability to forge host values can lead to unforeseen application behavior or escalation of other vulnerabilities.

Generated by OpenCVE AI on April 17, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Litestar to version 2.20.0 or later to apply the fixed regex handling logic.
  • Review and simplify any custom host allowlist configurations to use plain string patterns rather than regexes.
  • Deploy a reverse proxy or firewall rule that enforces strict host header validation before traffic reaches the application.

Generated by OpenCVE AI on April 17, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-93ph-p7v4-hwh4 Litestar's AllowedHosts has a validation bypass due to unescaped regex metacharacters in configured host patterns
History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Litestar
Litestar litestar
CPEs cpe:2.3:a:litestar:litestar:*:*:*:*:*:*:*:*
Vendors & Products Litestar
Litestar litestar

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Litestar-org
Litestar-org litestar
Vendors & Products Litestar-org
Litestar-org litestar

Mon, 09 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.
Title Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns
Weaknesses CWE-185
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Litestar Litestar
Litestar-org Litestar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:01:11.941Z

Reserved: 2026-02-02T16:31:35.821Z

Link: CVE-2026-25479

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:54.271Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:57.177

Modified: 2026-02-17T15:14:04.910

Link: CVE-2026-25479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses