CVE-2026-25478: Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins

February 9, 2026

CORS origin validation can be bypassed because the allowed-origins allowlist is compiled into a regex without escaping metacharacters (notably .). An allowed origin like https://good.example can match https://goodXexample, resulting in Access-Control-Allow-Origin being set for an untrusted origin

References

github.com/advisories/GHSA-2p2x-hpg8-cqp2
github.com/litestar-org/litestar
github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2
nvd.nist.gov/vuln/detail/CVE-2026-25478

Code Behaviors & Features

Detect and mitigate CVE-2026-25478 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →