VYPR

Litestar

by Litestar Org

pypi: litestar

Source repositories

CVEs (9)

  • CVE-2024-42370HigAug 12, 2024
    risk 0.47cvss 8.3epss 0.01

    Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In versions 2.10.0 and prior, Litestar's `docs-preview.yml` workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation. This issue grants a…

  • CVE-2024-32982HigMay 6, 2024
    risk 0.46cvss 8.2epss 0.01

    Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit…

  • CVE-2025-59152HigOct 6, 2025
    risk 0.42cvss 7.5epss 0.00

    Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In version 2.17.0, rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers. Litestar's…

  • CVE-2026-48060higJun 10, 2026
    risk 0.38cvss epss 0.00

    # Overview Litestar instances which use a template engine in conjunction with CSRF protection are vulnerable to HTML Injection which can be escalated to Cross Site Scripting due to the contents of the CSRF cookie being excluded from automatic escaping by the template engine…

  • CVE-2026-48061Jun 10, 2026
    risk 0.00cvss epss 0.00

    ### Summary `AllowedHostsMiddleware` trusts the `X-Forwarded-Host` header as a fallback when the `Host` header is absent. Since `X-Forwarded-Host` is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the `Host` header and supplying an…

  • CVE-2026-25480Feb 9, 2026
    risk 0.00cvss epss 0.00

    Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend,…

  • CVE-2026-25479Feb 9, 2026
    risk 0.00cvss epss 0.00

    Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character).…

  • CVE-2026-25478Feb 9, 2026
    risk 0.00cvss epss 0.00

    Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a…

  • CVE-2024-52581Nov 20, 2024
    risk 0.00cvss epss 0.01

    Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This…