python · litestarHeads-up
litestar AllowedHostsMiddleware trusts X-Forwarded-Host when Host header missing
AllowedHostsMiddleware trusts the X-Forwarded-Host header when the Host header is absent, allowing bypass of host validation.
What changed
AllowedHostsMiddleware trusts the X-Forwarded-Host header when the Host header is absent, allowing bypass of host validation.
Who it affects
Applications using AllowedHostsConfig without a reverse proxy that strips X-Forwarded-Host, or accepting HTTP/1.0 connections.
What to do today
Update to a patched version or configure a reverse proxy to strip X-Forwarded-Host header from untrusted sources.
The trail
Collected→
Audited→
Written→
Published