CVE-2026-25479 is a vulnerability in the litestar ASGI framework, specifically in the middleware component responsible for enforcing allowed hosts via the allowlist. Prior to version 2.20.0, the allowlist entries are compiled into regular expressions without escaping regex metacharacters. This means that special characters like '.' retain their regex meaning, matching any character rather than being treated as a literal dot. Consequently, an attacker can craft a host header that matches the regex pattern but is not the intended hostname, effectively bypassing the allowed hosts restriction. This bypass can lead to unauthorized access or manipulation of host-based filtering logic, potentially allowing attackers to impersonate trusted hosts or circumvent security controls relying on host validation. The vulnerability has a CVSS 3.1 base score of 6.5 (medium severity), with network attack vector, low complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity but not availability. No known exploits are currently reported in the wild. The issue is resolved in litestar version 2.20.0 by properly escaping regex metacharacters to enforce literal matching of allowlist entries.

For European organizations, this vulnerability could allow attackers to bypass host-based access controls in web applications built on vulnerable litestar versions. This may lead to unauthorized access to internal services, session fixation, or host header injection attacks that compromise confidentiality and integrity of data. While availability is not impacted, the ability to spoof or bypass host restrictions can facilitate further exploitation or lateral movement within networks. Organizations relying on litestar for critical web services, especially those exposing APIs or internal dashboards, are at risk. The medium severity reflects moderate impact but ease of exploitation over the network without authentication increases the threat. Given the growing adoption of Python ASGI frameworks in Europe, especially in technology hubs and financial sectors, the vulnerability could affect a wide range of applications if not patched promptly.

The primary mitigation is to upgrade all litestar deployments to version 2.20.0 or later, where the vulnerability is fixed by escaping regex metacharacters in allowlist entries. Until upgrades can be performed, organizations should audit their allowed hosts configurations to ensure no untrusted or ambiguous hostnames are permitted. Implement additional host header validation at the web server or reverse proxy level to enforce strict literal matching. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious host header patterns. Monitor logs for unusual host header values that do not correspond to legitimate hosts. Conduct penetration testing focused on host header injection and bypass attempts. Finally, maintain an inventory of applications using litestar to prioritize patching and risk assessment.