FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.

Basic Information

ID CVE-2026-25480

Source GitHub_M

Published Feb 9, 2026 at 18:49

Affected Product

Vendor litestar-org

Product litestar

Version < 2.20.0

Affected Versions litestar-org litestar < 2.20.0

CWE Classification

CWE-176

References

{
    "lastseen": "",
    "description": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.",
    "published": "2026-02-09T18:49:34.305Z",
    "modified": "2026-02-09T18:49:34.305Z",
    "type": "cve",
    "title": "FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)",
    "source": "GitHub_M",
    "references": "https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pg\nhttps://github.com/litestar-org/litestar/commit/85db6183a76f8a6b3fd6ee3c88d860b9f37a2cca\nhttps://docs.litestar.dev/2/release-notes/changelog.html#2.20.0\nhttps://github.com/litestar-org/litestar/releases/tag/v2.20.0",
    "id": "CVE-2026-25480",
    "bulletinFamily": "",
    "cwe": [
        "CWE-176"
    ],
    "cvelist": null,
    "sourceData": "litestar-org litestar < 2.20.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "litestar",
    "version": "< 2.20.0",
    "vendor": "litestar-org",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)_CVE-2026-25480