Nixpkgs Security Tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: litestar

Found 3 matching suggestions

Published
Permalink CVE-2026-25480
updated 2 days, 3 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 8 hours ago
  • @LeSuisse removed
    3 packages
    • python312Packages.litestar-htmx
    • python313Packages.litestar-htmx
    • python314Packages.litestar-htmx
    2 days, 3 hours ago
  • @LeSuisse accepted 2 days, 3 hours ago
  • @LeSuisse published on GitHub 2 days, 3 hours ago
FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.

Affected products

litestar
  • ==< 2.20.0

Matching in nixpkgs

Ignored packages (3)

Package maintainers

Upstream advisory: https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pg
Upstream patch: https://github.com/litestar-org/litestar/commit/85db6183a76f8a6b3fd6ee3c88d860b9f37a2cca
Published
Permalink CVE-2026-25479
updated 2 days, 3 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 8 hours ago
  • @LeSuisse removed
    3 packages
    • python312Packages.litestar-htmx
    • python313Packages.litestar-htmx
    • python314Packages.litestar-htmx
    2 days, 3 hours ago
  • @LeSuisse accepted 2 days, 3 hours ago
  • @LeSuisse published on GitHub 2 days, 3 hours ago
Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.

Affected products

litestar
  • ==< 2.20.0

Matching in nixpkgs

Ignored packages (3)

Package maintainers

Upstream advisory: https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4
Upstream patch: https://github.com/litestar-org/litestar/commit/06b36f481d1bfea6f19995cfb4f203aba45c4ace
Published
Permalink CVE-2026-25478
updated 2 days, 3 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 8 hours ago
  • @LeSuisse removed
    3 packages
    • python312Packages.litestar-htmx
    • python313Packages.litestar-htmx
    • python314Packages.litestar-htmx
    2 days, 3 hours ago
  • @LeSuisse accepted 2 days, 3 hours ago
  • @LeSuisse published on GitHub 2 days, 3 hours ago
Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.

Affected products

litestar
  • ==< 2.20.0

Matching in nixpkgs

Ignored packages (3)

Package maintainers

Upstream advisory: https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2
Upstream patch: https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a