CVE-2026-25479

Name of the Vulnerable Software and Affected Versions Litestar versions prior to 2.20.0

Description Litestar’s allowed hosts validation can be bypassed because configured host patterns are converted into regular expressions without escaping regex metacharacters. Specifically, the . metacharacter retains its special meaning, allowing an attacker to supply a host that matches the regex but is not the intended literal hostname. This issue affects applications relying on the AllowedHosts middleware to prevent Host header attacks, potentially leading to security control bypasses. The vulnerable component is litestar.middleware.allowed hosts. The vulnerable parameter is the allowed hosts configuration.

Recommendations Update to Litestar version 2.20.0 or later.