CVE-2026-25478 HIGH

CVE-2026-25478: Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins

Vendor Litestar-Org
Product litestar
Weakness CWE-942
Published February 9, 2026
Last update February 10, 2026

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.

Key dates

02Disclosure timeline

February 9, 2026 CVE published
February 10, 2026 Record updated