CVE-2026-25478 – Litestar ASGI framework versions before 2.20.0 ... (How to Fix)

📋 TL;DR

Litestar ASGI framework versions before 2.20.0 have a CORS origin validation bypass vulnerability. Attackers can craft malicious origin headers that match the allowed_origins_regex pattern due to improper escaping of metacharacters. This affects any Litestar application using CORSConfig.allowed_origins_regex for origin validation.

💻 Affected Systems

Products:

Litestar ASGI framework

Versions: All versions before 2.20.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects applications using CORSConfig.allowed_origins_regex configuration. Applications using allowed_origins list instead are not affected.

📦 What is this software?

Litestar by Litestar

View all CVEs affecting Litestar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete CORS bypass allowing cross-origin requests from unauthorized domains, potentially leading to data theft, CSRF attacks, or unauthorized API access.

🟠

Likely Case

Partial CORS bypass enabling attackers to make cross-origin requests from carefully crafted malicious domains that match the regex pattern.

🟢

If Mitigated

Limited impact if additional origin validation layers exist or if CORS is not critical to application security.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires understanding of regex patterns and ability to craft malicious origin headers. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.20.0

Vendor Advisory: https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2

Restart Required: Yes

Instructions:

1. Update Litestar to version 2.20.0 or later using pip: pip install --upgrade litestar>=2.20.0
2. Restart your application server
3. Verify the update with: pip show litestar

🔧 Temporary Workarounds

Switch to allowed_origins list

all

Replace CORSConfig.allowed_origins_regex with allowed_origins list which uses exact string matching

Change configuration from: allowed_origins_regex=["regex_pattern"] to: allowed_origins=["exact.domain.com"]

Implement custom origin validation middleware

all

Add additional origin validation layer before Litestar's CORS middleware

Create custom ASGI middleware that validates origin headers against a whitelist before passing to Litestar

🧯 If You Can't Patch

Implement reverse proxy with strict origin validation
Use WAF rules to block suspicious origin headers

🔍 How to Verify

Check if Vulnerable:

Check if using Litestar <2.20.0 AND using CORSConfig.allowed_origins_regex in configuration

Check Version:

pip show litestar | grep Version

Verify Fix Applied:

Verify Litestar version is >=2.20.0 and test CORS validation with various origin headers

📡 Detection & Monitoring

Log Indicators:

Unexpected origin headers in CORS preflight requests
Failed CORS validation logs showing regex pattern mismatches

Network Indicators:

CORS preflight requests with unusual origin patterns
Cross-origin requests from unexpected domains

SIEM Query:

web_logs origin="*regex*" AND status=200 AND method=OPTIONS

📊 Metadata

CVE ID: CVE-2026-25478

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE: CWE-942

EPSS Score: 0.03% exploit probability (8.6th percentile)

Published: February 9, 2026

Last Updated: February 17, 2026

🔗 References

https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0 Release Notes
https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a Patch
https://github.com/litestar-org/litestar/releases/tag/v2.20.0 Release Notes
https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25478, you might also want to check these: