Description
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.
Published: 2026-02-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Cache Poisoning
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Litestar arises from how its FileStore component creates cache keys. It normalizes request paths using Unicode NFKD and substitutes character code points via ord() without separating delimiters, which can produce identical keys for different URLs. An attacker who can send arbitrary HTTP requests to the server can craft paths that collide with legitimate cache keys, resulting in one URL serving the cached response of another. The effect is that sensitive data may be disclosed or the application may provide incorrect content, meeting CWE-176. The impact is not complete control over the system but can lead to information disclosure and functional disruption.

Affected Systems

Litestar, an ASGI framework produced and maintained by litestar-org, is vulnerable in all releases prior to version 2.20.0. The problem is specific to deployments that use the FileStore as a response‑cache backend; if that feature is not enabled, the risk is mitigated.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is below 1 %, implying a very low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, an unauthenticated attacker can reach the server over HTTP and send a crafted path to trigger the collision. The attack requires no special privileges, depends on the presence of the FileStore response‑cache backend, and leads directly to cache poisoning. While the likelihood of exploitation is low, the potential information disclosure is significant enough to warrant patching.

Generated by OpenCVE AI on April 18, 2026 at 18:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Litestar to version 2.20.0 or later
  • Disable the FileStore response‑cache backend on all publicly exposed services until the upgrade can be applied
  • Verify that cached responses are served from a backend that uses a deterministic key scheme and reconfigure or patch any custom caching logic that reproduces the colliding behaviour

Generated by OpenCVE AI on April 18, 2026 at 18:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vxqx-rh46-q2pg Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)
History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Litestar
Litestar litestar
CPEs cpe:2.3:a:litestar:litestar:*:*:*:*:*:*:*:*
Vendors & Products Litestar
Litestar litestar

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Litestar-org
Litestar-org litestar
Vendors & Products Litestar-org
Litestar-org litestar

Mon, 09 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.
Title FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)
Weaknesses CWE-176
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Litestar Litestar
Litestar-org Litestar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:01:06.327Z

Reserved: 2026-02-02T16:31:35.821Z

Link: CVE-2026-25480

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:52.916Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:57.330

Modified: 2026-02-17T15:12:34.963

Link: CVE-2026-25480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses