CVE-2026-25478
Undergoing Analysis Undergoing Analysis - In Progress
Regex Injection in Litestar CORSConfig Allows Origin Spoofing

Publication date: 2026-02-09

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25478
EUVD
EUVD-2026-6496
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
litestar litestar to 2.20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Litestar ASGI framework versions prior to 2.20.0. It involves the CORSConfig.allowed_origins_regex, which is a regular expression constructed from configured allowlist values to validate origins. Because metacharacters in the allowlist values are not escaped, a malicious origin can unexpectedly match the regex validation. This means that the check using allowed_origins_regex.fullmatch(origin) can be bypassed by crafted origins.

Impact Analysis

The vulnerability can allow a malicious origin to bypass the intended CORS origin validation. This could lead to unauthorized cross-origin requests being accepted by the server, potentially exposing sensitive data or functionality to untrusted origins.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Litestar to version 2.20.0 or later, where the issue with allowed_origins_regex is fixed by properly escaping metacharacters in the regex used for origin validation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25478. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart