{"id":"PYSEC-2026-2196","details":"Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.","aliases":["CVE-2026-25479","GHSA-93ph-p7v4-hwh4"],"modified":"2026-07-13T07:15:34.259035891Z","published":"2026-02-09T20:15:57.177Z","references":[{"type":"ADVISORY","url":"https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0"},{"type":"ADVISORY","url":"https://github.com/litestar-org/litestar/releases/tag/v2.20.0"},{"type":"FIX","url":"https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace"},{"type":"EVIDENCE","url":"https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4"}],"affected":[{"package":{"name":"litestar","ecosystem":"PyPI","purl":"pkg:pypi/litestar"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.20.0"}]}],"versions":["1.0.0a0","2.0.0","2.0.0a3","2.0.0a4","2.0.0a5","2.0.0a6","2.0.0a7","2.0.0b1","2.0.0b2","2.0.0b3","2.0.0b4","2.0.0rc1","2.0.1","2.1.0","2.1.1","2.10.0","2.11.0","2.12.0","2.12.1","2.13.0","2.14.0","2.15.0","2.15.1","2.15.2","2.16.0","2.17.0","2.18.0","2.19.0","2.2.0","2.2.1","2.3.0","2.3.1","2.3.2","2.4.0","2.4.1","2.4.2","2.4.3","2.4.4","2.4.5","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6.0","2.6.1","2.6.2","2.6.3","2.6.4","2.7.0","2.7.1","2.7.2","2.8.0","2.8.1","2.8.2","2.8.3","2.9.0","2.9.1"],"ecosystem_specific":{},"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/litestar/PYSEC-2026-2196.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}