Litestar (Python) – Support, CVEs & Health

GHSA-2p2x-hpg8-cqp2 CVSS_V3

Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins

Published: 2026-02-09 Fixed in: 2.20.0

GHSA-3qmc-cj7q-62hv CVSS_V3

Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header

Published: 2026-06-10 Fixed in: 2.22.0

GHSA-542p-wvx7-72m4 CVSS_V3

Litestar has HTML Injection Through its CSRF Token

Published: 2026-06-10 Fixed in: 2.22.0

GHSA-674p-xv2x-rf3g CVSS_V3

Litestar has potential log injection in exception logging

Published: 2025-08-11 Fixed in: 2.17.0

GHSA-83pv-qr33-2vcf CVSS_V3

Litestar and Starlite vulnerable to Path Traversal

Published: 2024-05-06 Fixed in: 2.8.3

GHSA-93ph-p7v4-hwh4 CVSS_V3

Litestar's AllowedHosts has a validation bypass due to unescaped regex metacharacters in configured host patterns

Published: 2026-02-09 Fixed in: 2.20.0

GHSA-gjcc-jvgw-wvwj CVSS_V3

Litestar allows unbounded resource consumption (DoS vulnerability)

Published: 2024-11-20 Fixed in: 2.13.0

GHSA-hm36-ffrh-c77c CVSS_V3

Litestar X-Forwarded-For Header Spoofing Vulnerability Enables Rate Limit Evasion

Published: 2025-10-06 Fixed in: 2.18.0

GHSA-vxqx-rh46-q2pg CVSS_V3

Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)

Published: 2026-02-09 Fixed in: 2.20.0

PYSEC-2024-178 CVSS_V3

Published: 2024-11-20 Fixed in: 53c1473b5ff7502816a9a339ffc90731bb0c2138

Litestar