CVE-2026-25479
Undergoing Analysis Undergoing Analysis - In Progress
Regex Injection in Litestar Allowed Hosts Enables Host Bypass

Publication date: 2026-02-09

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25479
EUVD
EUVD-2026-6497
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
litestar litestar to 2.20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Litestar ASGI framework prior to version 2.20.0. The issue is in the allowed_hosts middleware, where allowlist entries are compiled into regular expressions without escaping regex metacharacters. This means special characters like '.' retain their regex meaning, allowing an attacker to supply a host that matches the regex pattern but is not the intended literal hostname, effectively bypassing host restrictions.

Impact Analysis

An attacker can exploit this vulnerability to bypass host restrictions by supplying a crafted host header that matches the regex pattern but is not an authorized hostname. This can lead to unauthorized access or manipulation of the application, potentially compromising confidentiality and integrity of data.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Litestar to version 2.20.0 or later, where the issue with allowlist entries being compiled into regex patterns with special meaning is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25479. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart