Update dependency litestar to v2.20.0 [SECURITY] #231
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #231 +/- ##
=======================================
Coverage 93.16% 93.16%
=======================================
Files 24 24
Lines 2106 2106
=======================================
Hits 1962 1962
Misses 144 144 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.19.0→2.20.0GitHub Vulnerability Alerts
CVE-2026-25478
Summary
CORS origin validation can be bypassed because the allowed-origins allowlist is compiled into a regex without escaping metacharacters (notably .). An allowed origin like https://good.example can match https://goodXexample, resulting in Access-Control-Allow-Origin being set for an untrusted origin
Details
CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin).
PoC
Server (poc_cors_server.py)
uvicorn poc_cors_server:app --host 127.0.0.1 --port 8002Client (poc_cors_client.py)
Expected (vulnerable behavior):
Origin: https://evil.example → no ACAO
Origin: https://goodXexample → ACAO: https://goodxexample/ (bypass)
Impact
Type: CORS policy bypass (cross-origin data exposure risk)
Who is impacted: apps using CORS allowlists to restrict browser cross-origin reads. If allow_credentials=True and authenticated endpoints return sensitive data, an attacker-controlled site can potentially read responses in a victim’s browser session.
CVE-2026-25479
Summary
AllowedHosts host validation can be bypassed because configured host patterns are turned into regular expressions without escaping regex metacharacters (notably .). A configured allowlist entry like example.com can match exampleXcom
Details
In litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname.
PoC
Server (poc_allowed_hosts_server.py)
uvicorn poc_allowed_hosts_server:app --host 127.0.0.1 --port 8001Client (poc_allowed_hosts_client.py)
Expected (vulnerable behavior):
Host: evil.com → 400 invalid host
Host: exampleXcom → 200 ok (bypass)
Impact
Type: security control bypass (host allowlist)
Who is impacted: apps relying on AllowedHosts to prevent Host header attacks (cache poisoning, absolute URL construction abuse, password reset link poisoning, etc.). The downstream impact depends on app behavior, but the bypass defeats a core mitigation layer.
CVE-2026-25480
Summary
FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup)
Details
litestar.stores.file._safe_file_name() normalizes input with unicodedata.normalize("NFKD", name) and builds the filename by concatenating c if alphanumeric else str(ord(c)) (no delimiter).
This transformation is not injective, e.g.:
When used in response caching, the default cache key includes request path and sorted query params, which are attacker-controlled.
PoC
Impact
Vulnerability type: cache poisoning / cache key collision.
Impacted deployments: applications using Litestar response caching with FileStore backend (or any attacker-influenced keying into FileStore).
Possible impact: serving incorrect cached content across distinct URLs, potential confidentiality/integrity issues depending on what endpoints are cached.
Release Notes
litestar-org/litestar (litestar)
v2.20.0Compare Source
Sponsors 🌟
Thanks to these incredible business sponsors:
Thanks to these incredible personal sponsors:
New contributors 🎉
Changelog
https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0
Compare Changes
Configuration
📅 Schedule: Branch creation - "" in timezone Australia/Brisbane, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.