CVE-2026-25480
- Source
- https://cve.org/CVERecord?id=CVE-2026-25480
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25480.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25480
- Aliases
- Published
- 2026-02-09T18:49:34.305Z
- Modified
- 2026-03-01T02:57:15.324589Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)
- Details
-
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-176" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25480.json" }- References
-
- https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25480.json
- https://github.com/litestar-org/litestar/commit/85db6183a76f8a6b3fd6ee3c88d860b9f37a2cca
- https://github.com/litestar-org/litestar/releases/tag/v2.20.0
- https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pg
- https://nvd.nist.gov/vuln/detail/CVE-2026-25480
Affected packages
Git / github.com/litestar-org/litestar
Affected ranges
- Type
- GIT
- Repo
- https://github.com/litestar-org/litestar
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.7.2
v0.*
v0.0.1a
v0.1.0
v0.1.0b1
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.6.0
v0.7.0
v0.7.1
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.1.0
v1.1.1
v1.10.0
v1.10.1
v1.11.0
v1.11.1
v1.12.0
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.17.1
v1.17.2
v1.18.0
v1.18.1
v1.19.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.20.0
v1.21.0
v1.21.1
v1.21.2
v1.22.0
v1.23.0
v1.23.1
v1.24.0
v1.25.0
v1.26.0
v1.26.1
v1.27.0
v1.28.0
v1.28.1
v1.29.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.30.0
v1.31.0
v1.32.0
v1.33.0
v1.34.0
v1.35.0
v1.35.1
v1.36.0
v1.37.0
v1.38.0
v1.39.0
v1.4.0
v1.4.1
v1.4.2
v1.40.0
v1.40.1
v1.41.0
v1.42.0
v1.43.0
v1.43.1
v1.44.0
v1.45.0
v1.45.1
v1.46.0
v1.47.0
v1.48.0
v1.48.1
v1.49.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.50.0
v1.50.1
v1.50.2
v1.51.0
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.8.1
v1.9.0
v1.9.1
v2.*
v2.0.0
v2.0.0alpha1
v2.0.0alpha2
v2.0.0alpha3
v2.0.0alpha4
v2.0.0alpha5
v2.0.0alpha6
v2.0.0alpha7
v2.0.0beta1
v2.0.0beta2
v2.0.0beta3
v2.0.0beta4
v2.0.0rc1
v2.1.0
v2.1.1
v2.10.0
v2.11.0
v2.12.0
v2.12.1
v2.13.0
v2.14.0
v2.15.0
v2.15.1
v2.15.2
v2.16.0
v2.17.0
v2.18.0
v2.19.0
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.1
v2.8.0
v2.9.0