CVE-2026-25480

Name of the Vulnerable Software and Affected Versions Litestar versions prior to 2.20.0

Description Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. When the FileStore is used as a response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths. This results in one URL serving cached responses of another, leading to cache poisoning or mixup. The issue arises because FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. Specifically, characters like "-" and "k-" can normalize to "k45", and the Kelvin sign "K" can normalize to "K", causing collisions. The default cache key includes request path and sorted query parameters, which are attacker-controlled.

Recommendations Versions prior to 2.20.0 should be updated to version 2.20.0 or later.