CVE-2026-25478 is a vulnerability identified in the litestar asynchronous server gateway interface (ASGI) framework, specifically affecting versions prior to 2.20.0. The issue stems from the way litestar constructs the allowed_origins_regex for Cross-Origin Resource Sharing (CORS) validation. The allowed_origins_regex is built from configured allowlist values but fails to escape regex metacharacters properly. This improper escaping means that a maliciously crafted origin string can match the regex unexpectedly when the framework uses the fullmatch() method for validation. As a result, origins that should be blocked can bypass the CORS policy, allowing cross-domain requests from untrusted sources. This vulnerability corresponds to CWE-942, which relates to permissive cross-domain policies that trust unverified domains. The impact is primarily on confidentiality, as unauthorized domains may gain access to sensitive information through cross-origin requests. The CVSS v3.1 score is 7.4 (high), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction, and a scope change with high confidentiality impact but no integrity or availability impact. The vulnerability was published on February 9, 2026, and fixed in litestar version 2.20.0. There are no known exploits in the wild yet, but the flaw poses a significant risk to applications relying on litestar's CORS implementation for security. Organizations using affected versions should upgrade promptly and review their CORS configurations to ensure no unintended origins are allowed due to regex misconfiguration.

For European organizations, this vulnerability can lead to unauthorized data exposure through cross-origin requests, compromising confidentiality of sensitive information handled by web applications built on the litestar framework. Since litestar is an ASGI framework often used in Python-based asynchronous web services, organizations in sectors such as finance, healthcare, and government that rely on these technologies are at risk. The vulnerability allows attackers to craft malicious origins that bypass CORS restrictions, potentially enabling data theft or session hijacking if combined with other weaknesses. Although integrity and availability are not directly impacted, the breach of confidentiality can have severe regulatory and reputational consequences, especially under GDPR. The ease of exploitation (no privileges required and low complexity) increases the threat level. European companies with public-facing APIs or web applications using litestar should consider this vulnerability critical to address to prevent data leakage and maintain compliance with data protection laws.

1. Upgrade all litestar instances to version 2.20.0 or later, where the vulnerability is fixed by properly escaping regex metacharacters in allowed_origins_regex. 2. Audit current CORS configurations to identify any overly permissive or regex-based origin allowlists and replace them with explicit, validated origin lists where possible. 3. Implement runtime monitoring and logging of cross-origin requests to detect anomalous or unexpected origins attempting access. 4. Employ Web Application Firewalls (WAFs) with rules to block suspicious cross-origin requests that do not match expected patterns. 5. Educate developers and security teams about the risks of regex-based origin validation and encourage use of safer CORS libraries or configurations. 6. Conduct penetration testing focused on CORS policies to verify that no unauthorized origins can bypass restrictions. 7. For critical applications, consider additional layers of authentication or token validation on cross-origin requests to reduce risk of unauthorized data access.