VulnerableCode Package Details - pkg:pypi/litestar@2.19.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-159v-wvt4-afhj Aliases: CVE-2026-25479 GHSA-93ph-p7v4-hwh4	Litestar's AllowedHosts has a validation bypass due to unescaped regex metacharacters in configured host patterns AllowedHosts host validation can be bypassed because configured host patterns are turned into regular expressions without escaping regex metacharacters (notably .). A configured allowlist entry like example.com can match exampleXcom	2.20.0 Affected by 0 other vulnerabilities.
VCID-btyw-ukg5-2yb8 Aliases: CVE-2026-25480 GHSA-vxqx-rh46-q2pg	Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup)	2.20.0 Affected by 0 other vulnerabilities.
VCID-nx6r-27da-k7gj Aliases: CVE-2026-25478 GHSA-2p2x-hpg8-cqp2	Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins CORS origin validation can be bypassed because the allowed-origins allowlist is compiled into a regex without escaping metacharacters (notably .). An allowed origin like https://good.example can match https://goodXexample, resulting in Access-Control-Allow-Origin being set for an untrusted origin	2.20.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-159v-wvt4-afhj
Aliases:
CVE-2026-25479
GHSA-93ph-p7v4-hwh4

Litestar's AllowedHosts has a validation bypass due to unescaped regex metacharacters in configured host patterns AllowedHosts host validation can be bypassed because configured host patterns are turned into regular expressions without escaping regex metacharacters (notably .). A configured allowlist entry like example.com can match exampleXcom

2.20.0
Affected by 0 other vulnerabilities.

VCID-btyw-ukg5-2yb8
Aliases:
CVE-2026-25480
GHSA-vxqx-rh46-q2pg

Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup)

2.20.0
Affected by 0 other vulnerabilities.

VCID-nx6r-27da-k7gj
Aliases:
CVE-2026-25478
GHSA-2p2x-hpg8-cqp2

Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins CORS origin validation can be bypassed because the allowed-origins allowlist is compiled into a regex without escaping metacharacters (notably .). An allowed origin like https://good.example can match https://goodXexample, resulting in Access-Control-Allow-Origin being set for an untrusted origin

2.20.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:50:03.170308+00:00	GitLab Importer	Affected by	VCID-btyw-ukg5-2yb8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/litestar/CVE-2026-25480.yml	38.6.0
2026-06-02T04:50:02.639050+00:00	GitLab Importer	Affected by	VCID-159v-wvt4-afhj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/litestar/CVE-2026-25479.yml	38.6.0
2026-06-02T04:50:01.953648+00:00	GitLab Importer	Affected by	VCID-nx6r-27da-k7gj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/litestar/CVE-2026-25478.yml	38.6.0