VulnerableCode Package Details - pkg:pypi/litestar@2.20.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-159v-wvt4-afhj	Litestar's AllowedHosts has a validation bypass due to unescaped regex metacharacters in configured host patterns AllowedHosts host validation can be bypassed because configured host patterns are turned into regular expressions without escaping regex metacharacters (notably .). A configured allowlist entry like example.com can match exampleXcom	CVE-2026-25479 GHSA-93ph-p7v4-hwh4
VCID-btyw-ukg5-2yb8	Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup)	CVE-2026-25480 GHSA-vxqx-rh46-q2pg
VCID-nx6r-27da-k7gj	Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins CORS origin validation can be bypassed because the allowed-origins allowlist is compiled into a regex without escaping metacharacters (notably .). An allowed origin like https://good.example can match https://goodXexample, resulting in Access-Control-Allow-Origin being set for an untrusted origin	CVE-2026-25478 GHSA-2p2x-hpg8-cqp2

Vulnerability

Summary

Aliases

VCID-159v-wvt4-afhj

Litestar's AllowedHosts has a validation bypass due to unescaped regex metacharacters in configured host patterns AllowedHosts host validation can be bypassed because configured host patterns are turned into regular expressions without escaping regex metacharacters (notably .). A configured allowlist entry like example.com can match exampleXcom

CVE-2026-25479
GHSA-93ph-p7v4-hwh4

VCID-btyw-ukg5-2yb8

Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup)

CVE-2026-25480
GHSA-vxqx-rh46-q2pg

VCID-nx6r-27da-k7gj

Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins CORS origin validation can be bypassed because the allowed-origins allowlist is compiled into a regex without escaping metacharacters (notably .). An allowed origin like https://good.example can match https://goodXexample, resulting in Access-Control-Allow-Origin being set for an untrusted origin

CVE-2026-25478
GHSA-2p2x-hpg8-cqp2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:50:03.176882+00:00	GitLab Importer	Fixing	VCID-btyw-ukg5-2yb8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/litestar/CVE-2026-25480.yml	38.6.0
2026-06-02T04:50:02.645874+00:00	GitLab Importer	Fixing	VCID-159v-wvt4-afhj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/litestar/CVE-2026-25479.yml	38.6.0
2026-06-02T04:50:01.961009+00:00	GitLab Importer	Fixing	VCID-nx6r-27da-k7gj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/litestar/CVE-2026-25478.yml	38.6.0