Skip to main content

Litestar CVE-2026-25480

MEDIUM
Improper Handling of Unicode Encoding (CWE-176)
2026-02-09 security-advisories@github.com GHSA-vxqx-rh46-q2pg
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Feb 17, 2026 - 15:12 vuln.today
Public exploit code
Patch released
Feb 17, 2026 - 15:12 nvd
Patch available
CVE Published
Feb 09, 2026 - 20:15 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.

AnalysisAI

Cache poisoning in Litestar before 2.20.0 allows unauthenticated remote attackers to exploit improper Unicode normalization in the FileStore cache backend to create collisions between cache keys, enabling one URL to serve another URL's cached responses. Public exploit code exists for this vulnerability. An attacker can leverage this to serve malicious cached content to users accessing legitimate endpoints.

Technical ContextAI

Classified as CWE-176 (Improper Handling of Unicode Encoding). Affects Litestar. Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 2.20.0.. Restrict network access to the affected service where possible.

Share

CVE-2026-25480 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy