Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by litestar
CVE-2026-25480 (GCVE-0-2026-25480)
Vulnerability from cvelistv5 – Published: 2026-02-09 18:49 – Updated: 2026-02-10 16:01
VLAI?
Title
FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)
Summary
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.
Severity ?
6.5 (Medium)
CWE
- CWE-176 - Improper Handling of Unicode Encoding
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| litestar-org | litestar |
Affected:
< 2.20.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25480",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:39:52.216141Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T16:01:06.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litestar",
"vendor": "litestar-org",
"versions": [
{
"status": "affected",
"version": "\u003c 2.20.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-176",
"description": "CWE-176: Improper Handling of Unicode Encoding",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T18:49:34.305Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pg"
},
{
"name": "https://github.com/litestar-org/litestar/commit/85db6183a76f8a6b3fd6ee3c88d860b9f37a2cca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/commit/85db6183a76f8a6b3fd6ee3c88d860b9f37a2cca"
},
{
"name": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0"
},
{
"name": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0"
}
],
"source": {
"advisory": "GHSA-vxqx-rh46-q2pg",
"discovery": "UNKNOWN"
},
"title": "FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25480",
"datePublished": "2026-02-09T18:49:34.305Z",
"dateReserved": "2026-02-02T16:31:35.821Z",
"dateUpdated": "2026-02-10T16:01:06.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25479 (GCVE-0-2026-25479)
Vulnerability from cvelistv5 – Published: 2026-02-09 18:48 – Updated: 2026-02-10 16:01
VLAI?
Title
Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns
Summary
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.
Severity ?
6.5 (Medium)
CWE
- CWE-185 - Incorrect Regular Expression
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| litestar-org | litestar |
Affected:
< 2.20.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:39:53.590127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T16:01:11.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litestar",
"vendor": "litestar-org",
"versions": [
{
"status": "affected",
"version": "\u003c 2.20.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-185",
"description": "CWE-185: Incorrect Regular Expression",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T18:48:19.971Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4"
},
{
"name": "https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace"
},
{
"name": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0"
},
{
"name": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0"
}
],
"source": {
"advisory": "GHSA-93ph-p7v4-hwh4",
"discovery": "UNKNOWN"
},
"title": "Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25479",
"datePublished": "2026-02-09T18:48:19.971Z",
"dateReserved": "2026-02-02T16:31:35.821Z",
"dateUpdated": "2026-02-10T16:01:11.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25478 (GCVE-0-2026-25478)
Vulnerability from cvelistv5 – Published: 2026-02-09 18:46 – Updated: 2026-02-10 16:01
VLAI?
Title
Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins
Summary
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.
Severity ?
7.4 (High)
CWE
- CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| litestar-org | litestar |
Affected:
< 2.20.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:30:25.275815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T16:01:16.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litestar",
"vendor": "litestar-org",
"versions": [
{
"status": "affected",
"version": "\u003c 2.20.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T18:46:56.445Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2"
},
{
"name": "https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a"
},
{
"name": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0"
},
{
"name": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/releases/tag/v2.20.0"
}
],
"source": {
"advisory": "GHSA-2p2x-hpg8-cqp2",
"discovery": "UNKNOWN"
},
"title": "Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25478",
"datePublished": "2026-02-09T18:46:56.445Z",
"dateReserved": "2026-02-02T16:31:35.820Z",
"dateUpdated": "2026-02-10T16:01:16.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-52581 (GCVE-0-2024-52581)
Vulnerability from cvelistv5 – Published: 2024-11-20 20:50 – Updated: 2024-11-25 13:46
VLAI?
Title
Litestar allows unbounded resource consumption (DoS vulnerability)
Summary
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| litestar-org | litestar |
Affected:
< 2.13.0
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:litestar-org:litestar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "litestar",
"vendor": "litestar-org",
"versions": [
{
"lessThan": "2.13.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52581",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T14:05:15.626887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:38:42.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litestar",
"vendor": "litestar-org",
"versions": [
{
"status": "affected",
"version": "\u003c 2.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T13:46:28.592Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj"
},
{
"name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q"
},
{
"name": "https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138"
},
{
"name": "https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97"
}
],
"source": {
"advisory": "GHSA-gjcc-jvgw-wvwj",
"discovery": "UNKNOWN"
},
"title": "Litestar allows unbounded resource consumption (DoS vulnerability)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52581",
"datePublished": "2024-11-20T20:50:19.679Z",
"dateReserved": "2024-11-14T15:05:46.765Z",
"dateUpdated": "2024-11-25T13:46:28.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}