PYSEC-2026-2197

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/litestar/PYSEC-2026-2197.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2197
Aliases
Published
2026-02-09T20:15:57.330Z
Modified
2026-07-13T07:15:34.276090244Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.

References

Affected packages

PyPI / litestar

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.20.0

Affected versions

1.*
1.0.0a0
2.*
2.0.0a3
2.0.0a4
2.0.0a5
2.0.0a6
2.0.0a7
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0b4
2.0.0rc1
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.7.0
2.7.1
2.7.2
2.8.0
2.8.1
2.8.2
2.8.3
2.9.0
2.9.1
2.10.0
2.11.0
2.12.0
2.12.1
2.13.0
2.14.0
2.15.0
2.15.1
2.15.2
2.16.0
2.17.0
2.18.0
2.19.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/litestar/PYSEC-2026-2197.yaml"