PyPI package
litestar
pkg:pypi/litestar
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25480 | — | >= 2.19.0, < 2.20.0 | 2.20.0 | Feb 9, 2026 | Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an | ||
| CVE-2026-25479 | — | >= 2.19.0, < 2.20.0 | 2.20.0 | Feb 9, 2026 | Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). Th | ||
| CVE-2026-25478 | — | >= 2.19.0, < 2.20.0 | 2.20.0 | Feb 9, 2026 | Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicio | ||
| CVE-2025-59152 | Hig | 7.5 | >= 2.17.0, < 2.18.0 | 2.18.0 | Oct 6, 2025 | Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In version 2.17.0, rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers. Litestar's RateLimitMiddlewar | |
| CVE-2024-52581 | — | < 2.13.0 | 2.13.0 | Nov 20, 2024 | Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allow | ||
| CVE-2024-42370 | Hig | 8.3 | <= 2.10.0 | — | Aug 12, 2024 | Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In versions 2.10.0 and prior, Litestar's `docs-preview.yml` workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation. This issue grants a malic | |
| CVE-2024-32982 | Hig | 8.2 | >= 2.8.0, < 2.8.3 | 2.8.3 | May 6, 2024 | Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit pa |
- CVE-2026-25480Feb 9, 2026affected >= 2.19.0, < 2.20.0fixed 2.20.0
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an
- CVE-2026-25479Feb 9, 2026affected >= 2.19.0, < 2.20.0fixed 2.20.0
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). Th
- CVE-2026-25478Feb 9, 2026affected >= 2.19.0, < 2.20.0fixed 2.20.0
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicio
- affected >= 2.17.0, < 2.18.0fixed 2.18.0
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In version 2.17.0, rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers. Litestar's RateLimitMiddlewar
- CVE-2024-52581Nov 20, 2024affected < 2.13.0fixed 2.13.0
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allow
- affected <= 2.10.0
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In versions 2.10.0 and prior, Litestar's `docs-preview.yml` workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation. This issue grants a malic
- affected >= 2.8.0, < 2.8.3fixed 2.8.3
Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit pa