The Dot That Killed the Host: Litestar AllowedHosts Bypass
Vulnerability ID: CVE-2026-25479
CVSS Score: 6.5
Published: 2026-02-09
A classic regular expression logic flaw in Litestar's AllowedHostsMiddleware allows attackers to bypass host header validation. By failing to escape the dot character in configured hostnames, the middleware interprets them as regex wildcards, enabling Host Header Injection attacks.
TL;DR
Litestar < 2.20.0 treats dots in 'allowed_hosts' as regex wildcards. 'example.com' matches 'exampleXcom'. This allows Host Header Injection.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-185 (Incorrect Regular Expression)
- CVSS Score: 6.5 (Medium)
- Attack Vector: Network
- Confidentiality: Low
- Integrity: Low
- Exploit Status: PoC Available
Affected Systems
- Litestar Framework (Python)
-
Litestar: < 2.20.0 (Fixed in:
2.20.0)
Code Analysis
Commit: 06b36f4
fix(allowed hosts): Ensure host names are always properly escaped when used in a regex
@@ -1,5 +1,6 @@
+import re
...
- regex = re.compile(f"^({'|'.join(allowed_hosts)})$", flags=re.IGNORECASE)
+ regex = re.compile(f"^({'|'.join([re.escape(h) for h in allowed_hosts])})$", flags=re.IGNORECASE)
Exploit Details
- GitHub Security Advisory: Official advisory describing the regex bypass mechanism.
Mitigation Strategies
- Upgrade Litestar to version 2.20.0 or later.
- Manually escape dots in
allowed_hostsconfiguration if upgrading is impossible. - Use hardcoded canonical URLs for link generation instead of relying on the
Hostheader.
Remediation Steps:
- Identify Litestar usage in your dependency tree (
pip freeze | grep litestar). - Update
requirements.txtorpyproject.tomlto specifylitestar>=2.20.0. - Re-deploy the application.
- Audit logs for suspicious Host headers (e.g., matching the regex pattern but not the literal string).
References
Read the full report for CVE-2026-25479 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)