Description

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.

INFO

Published Date :

2026-02-09T18:49:34.305Z

Last Modified :

2026-02-10T16:01:06.327Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25480 vulnerability.

Vendors Products
Litestar
  • Litestar
Litestar-org
  • Litestar
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25480.

URL Resource
https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0 cve-icon cve-icon
https://github.com/litestar-org/litestar/commit/85db6183a76f8a6b3fd6ee3c88d860b9f37a2cca cve-icon cve-icon
https://github.com/litestar-org/litestar/releases/tag/v2.20.0 cve-icon cve-icon
https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact