Nixpkgs security tracker
7.4 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): NONE
Activity log
- Created suggestion
Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.
References
-
https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2 x_refsource_CONFIRM
-
https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0 x_refsource_MISC
-
https://github.com/litestar-org/litestar/releases/tag/v2.20.0 x_refsource_MISC
Affected products
- ==< 2.20.0
Matching in nixpkgs
pkgs.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python312Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
-
nixos-unstable 2.13.0
pkgs.python313Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python314Packages.litestar
Production-ready, Light, Flexible and Extensible ASGI API framework
pkgs.python312Packages.litestar-htmx
HTMX Integration for Litesstar
-
nixos-unstable 0.5.0
pkgs.python313Packages.litestar-htmx
HTMX Integration for Litesstar
pkgs.python314Packages.litestar-htmx
HTMX Integration for Litesstar
Package maintainers
-
@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>