Nixpkgs security tracker
6.5 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
Activity log
- Created suggestion
Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.
References
-
https://github.com/litestar-org/litestar/security/advisories/GHSA-93ph-p7v4-hwh4 x_refsource_CONFIRM
-
https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0 x_refsource_MISC
-
https://github.com/litestar-org/litestar/releases/tag/v2.20.0 x_refsource_MISC
Affected products
- ==< 2.20.0
Matching in nixpkgs
pkgs.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python312Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
-
nixos-unstable 2.13.0
pkgs.python313Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python314Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python312Packages.litestar-htmx
HTMX Integration for Litesstar
-
nixos-unstable 0.5.0
pkgs.python313Packages.litestar-htmx
HTMX Integration for Litesstar
pkgs.python314Packages.litestar-htmx
HTMX Integration for Litesstar
Package maintainers
-
@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>