24 matches found
CVE-2026-25480
Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remo...
CVE-2026-25480
Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remo...
CVE-2026-25480
Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remo...
CVE-2026-25480 FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)
Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remo...
CVE-2026-25480 FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)
Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remo...
CVE-2026-25479
Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, in litestar.middleware.allowedhosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning e.g., . matches any character. This enables a bypass...
CVE-2026-25478 Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins
Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, CORSConfig.allowedoriginsregex is constructed using a regex built from configured allowlist values and used with fullmatch for validation. Because metacharacters are not escaped, a malicious origin can match...
CVE-2026-25478
Litestar (ASGI framework) contains a vulnerability in CORSConfig.allowed_origins_regex prior to 2.20.0 where a regex built from allowlist values is used with fullmatch without escaping metacharacters, allowing a malicious origin to match unexpectedly. Impact is indicated as HIGH (CVSS 3.1: AV:N/A...
Litestar 安全漏洞
Litestar is a powerful, flexible, yet stubbornly opinionated ASGI framework developed by Litestar itself. Versions of Litestar prior to 2.20.0 contained security vulnerabilities. These vulnerabilities were caused by key conflicts in the caching key mapping mechanism, which could lead to cache...
Litestar 安全漏洞
Litestar is a powerful, flexible, yet stubbornly opinionated ASGI framework developed by Litestar itself. Versions of Litestar prior to 2.20.0 contained security vulnerabilities, which stemmed from improper compilation of allowlist entries, potentially allowing bypasses of hostname verification...
Litestar 安全漏洞
Litestar is a powerful, flexible, yet stubbornly opinionated ASGI framework developed by Litestar itself. Versions of Litestar prior to 2.20.0 contained security vulnerabilities, which stemmed from the lack of escaping regular expression metacharacters, potentially allowing malicious sources to...
Improper Input Validation
litestar is vulnerable to Improper Input Validation. The vulnerability is due to the framework unconditionally trusting the X-Forwarded-For header when generating rate-limit cache keys, which allows an attacker to spoof arbitrary IPs and rotate through them to evade rate-limiting...
Linux Distros Unpatched Vulnerability : CVE-2025-59152
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Litestar is an Asynchronous Server Gateway Interface ASGI framework. In version 2.17.0, rate limits can be completely bypassed by manipulating the X-Forwarded-F...
CVE-2025-59152
Litestar is an Asynchronous Server Gateway Interface ASGI framework. In version 2.17.0, rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers. Litestar's RateLimitMiddleware uses...
UBUNTU-CVE-2025-59152
Litestar is an Asynchronous Server Gateway Interface ASGI framework. In version 2.17.0, rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers. Litestar's RateLimitMiddleware uses...
Reliance on Untrusted Inputs in a Security Decision
Overview litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision due to the use of X-Forwarded-For header in the cachekeyfromrequest function. An attacker...
CVE-2025-59152 X-Forwarded-For Header Spoofing Bypasses Litestar Rate Limiting
Litestar is an Asynchronous Server Gateway Interface ASGI framework. In version 2.17.0, rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers. Litestar's RateLimitMiddleware uses...
CVE-2025-59152
Litestar vulnerability in RateLimitMiddleware: when X-Forwarded-For is present, cache_key_from_request() trusts it unconditionally, enabling per-header-bucket rate-limiting and bypass of IP-based quotas. Affected: Litestar 2.17.0 with default RateLimitMiddleware configuration. Mitigation: upgrade...
EUVD-2024-0214
Malicious code in bioql PyPI...
EUVD-2024-2492
Malicious code in bioql PyPI...