CVE-2026-25479: Litestar's AllowedHosts has a validation bypass due to unescaped regex metacharacters in configured host patterns

February 9, 2026

AllowedHosts host validation can be bypassed because configured host patterns are turned into regular expressions without escaping regex metacharacters (notably .). A configured allowlist entry like example.com can match exampleXcom

References

github.com/advisories/GHSA-93ph-p7v4-hwh4
github.com/litestar-org/litestar
github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4
nvd.nist.gov/vuln/detail/CVE-2026-25479

Code Behaviors & Features

Detect and mitigate CVE-2026-25479 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →