CVE-2026-25478

Name of the Vulnerable Software and Affected Versions Litestar versions prior to 2.20.0

Description Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.20.0, the CORS origin validation process can be bypassed. This occurs because the allowed-origins allowlist is compiled into a regular expression without properly escaping metacharacters. Specifically, the allowed origins regex is constructed using configured allowlist values and used with fullmatch() for validation. A malicious origin can unexpectedly match due to the lack of escaping, potentially leading to cross-origin data exposure if allow credentials is set to True and authenticated endpoints return sensitive data. The vulnerable component is CORSConfig.allowed origins regex and the validation relies on allowed origins regex.fullmatch(origin). The issue is related to the use of regular expressions for validating the Origin header.

Recommendations Versions prior to 2.20.0 should be updated to version 2.20.0 or later to address this issue.