Litestar
CVE-2026-25480
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.
AnalysisAI
Cache poisoning in Litestar before 2.20.0 allows unauthenticated remote attackers to exploit improper Unicode normalization in the FileStore cache backend to create collisions between cache keys, enabling one URL to serve another URL's cached responses. Public exploit code exists for this vulnerability. An attacker can leverage this to serve malicious cached content to users accessing legitimate endpoints.
Technical ContextAI
Classified as CWE-176 (Improper Handling of Unicode Encoding). Affects Litestar. Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 2.20.0.. Restrict network access to the affected service where possible.
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Rated high severity (CVSS 8.2), this vulnerabilit
Litestar ASGI framework versions before 2.20.0 fail to properly escape regex metacharacters in CORS origin validation, a
Litestar versions before 2.20.0 improperly escape regex metacharacters in the allowed_hosts middleware, allowing attacke
Same weakness CWE-176 – Improper Handling of Unicode Encoding
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vxqx-rh46-q2pg