by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
3 packages
- python312Packages.litestar-htmx
- python313Packages.litestar-htmx
- python314Packages.litestar-htmx
- @LeSuisse accepted
- @LeSuisse published on GitHub
Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.
Affected products
- ==< 2.20.0
Matching in nixpkgs
pkgs.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python312Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python313Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python314Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
Ignored packages (3)
pkgs.python312Packages.litestar-htmx
HTMX Integration for Litesstar
pkgs.python313Packages.litestar-htmx
HTMX Integration for Litesstar
pkgs.python314Packages.litestar-htmx
HTMX Integration for Litesstar
Package maintainers
-
@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>