by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
3 packages
- python312Packages.litestar-htmx
- python313Packages.litestar-htmx
- python314Packages.litestar-htmx
- @LeSuisse accepted
- @LeSuisse published on GitHub
Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.
Affected products
- ==< 2.20.0
Matching in nixpkgs
pkgs.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python312Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python313Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python314Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
Ignored packages (3)
pkgs.python312Packages.litestar-htmx
HTMX Integration for Litesstar
pkgs.python313Packages.litestar-htmx
HTMX Integration for Litesstar
pkgs.python314Packages.litestar-htmx
HTMX Integration for Litesstar
Package maintainers
-
@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>