CVE-2026-25480
MEDIUMLitestar < 2.20.0 - Unauthenticated Cache Poisoning via FileStore Key Collision
Title source: llmDescription
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.
References (4)
Core 4
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pg
Patch x_refsource_misc
https://github.com/litestar-org/litestar/commit/85db6183a76f8a6b3fd6ee3c88d860b9f37a2cca
Release Notes x_refsource_misc
https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0
Release Notes x_refsource_misc
https://github.com/litestar-org/litestar/releases/tag/v2.20.0
Scores
CVSS v3
6.5
EPSS
0.0002
EPSS Percentile
6.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-176
Status
published
Products (2)
litestar/litestar
< 2.20.0
pypi/litestar
2.19.0 - 2.20.0PyPI
Published
Feb 09, 2026
Tracked Since
Feb 18, 2026