CVE-2026-25479
📋 TL;DR
Litestar ASGI framework versions before 2.20.0 have a host validation bypass vulnerability. Attackers can craft malicious host headers that match regex patterns but aren't the intended literal hostnames, potentially bypassing allowed host restrictions. This affects any Litestar application using the allowed_hosts middleware with user-controlled host headers.
💻 Affected Systems
- Litestar ASGI Framework
📦 What is this software?
Litestar by Litestar
⚠️ Risk & Real-World Impact
Worst Case
Complete bypass of host-based access controls leading to unauthorized access, potential SSRF attacks, or cache poisoning if the application relies on host validation for security boundaries.
Likely Case
Bypass of host restrictions allowing attackers to reach endpoints intended only for specific hosts, potentially exposing internal APIs or admin interfaces.
If Mitigated
Limited impact if additional authentication/authorization layers exist beyond host validation, though host-based routing could still be compromised.
🎯 Exploit Status
Exploitation requires sending crafted Host headers to bypass regex-based validation. No authentication needed if the endpoint is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.20.0
Vendor Advisory: https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4
Restart Required: Yes
Instructions:
1. Update Litestar to version 2.20.0 or later using pip: pip install --upgrade litestar>=2.20.0
2. Restart your application server
3. Verify the update with: pip show litestar
🔧 Temporary Workarounds
Disable allowed_hosts middleware
allTemporarily disable the vulnerable middleware if host validation is not critical for your application
Remove or comment out 'allowed_hosts' from your Litestar middleware configuration
Implement custom host validation
allCreate custom middleware that performs strict string matching instead of regex-based validation
🧯 If You Can't Patch
- Implement network-level controls like WAF rules to validate Host headers
- Add additional authentication/authorization layers to protect sensitive endpoints
🔍 How to Verify
Check if Vulnerable:
Check if your Litestar version is below 2.20.0 and if you're using allowed_hosts middlewareCheck Version:
pip show litestar | grep VersionVerify Fix Applied:
Confirm Litestar version is 2.20.0 or higher and test host validation with crafted headers📡 Detection & Monitoring
Log Indicators:
- Unusual Host header patterns containing regex metacharacters
- Access attempts with unexpected hostnames
Network Indicators:
- HTTP requests with crafted Host headers containing . * + ? [ ] ( ) { } | \ characters
SIEM Query:
http.request_header:Host AND (http.request_header:Host:".*" OR http.request_header:Host:"*" OR http.request_header:Host:"?" OR http.request_header:Host:"[" OR http.request_header:Host:"]" OR http.request_header:Host:"(" OR http.request_header:Host:")" OR http.request_header:Host:"{" OR http.request_header:Host:"}" OR http.request_header:Host:"|" OR http.request_header:Host:"\\")