VYPR
Moderate severityNVD Advisory· Published Feb 9, 2026· Updated Feb 10, 2026

Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns

CVE-2026-25479

Description

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
litestarPyPI
>= 2.19.0, < 2.20.02.20.0

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.