Vulnerability Description
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Litestar | Litestar | < 2.20.0 |
Related Weaknesses (CWE)
References
- https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0Release Notes
- https://github.com/litestar-org/litestar/commit/85db6183a76f8a6b3fd6ee3c88d860b9Patch
- https://github.com/litestar-org/litestar/releases/tag/v2.20.0Release Notes
- https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pgExploitVendor Advisory
FAQ
What is CVE-2026-25480?
CVE-2026-25480 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separator...
How severe is CVE-2026-25480?
CVE-2026-25480 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25480?
Check the references section above for vendor advisories and patch information. Affected products include: Litestar Litestar.