Login Sign Up

CVE-2026-25480

6.5 MEDIUM

📋 TL;DR

This vulnerability in Litestar's FileStore cache backend allows unauthenticated attackers to cause cache key collisions through specially crafted URLs. When exploited, it can make one URL serve cached responses from another URL, leading to cache poisoning or mixup. This affects all Litestar applications using FileStore as a response-cache backend prior to version 2.20.0.

💻 Affected Systems

Products:
  • Litestar
Versions: All versions prior to 2.20.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using FileStore as response-cache backend. Other cache backends are not vulnerable.

📦 What is this software?

Litestar by Litestar

View all CVEs affecting Litestar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could serve malicious cached content to users, potentially leading to data leakage, authentication bypass, or serving of harmful content.

🟠

Likely Case

Cache mixup causing incorrect data to be served to users, potentially exposing sensitive information or causing application errors.

🟢

If Mitigated

Limited impact if cache contains only non-sensitive data or if proper input validation and output encoding are implemented elsewhere.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires knowledge of the cache key generation algorithm and ability to craft specific Unicode paths.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.20.0

Vendor Advisory: https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pg

Restart Required: Yes

Instructions:

1. Update Litestar to version 2.20.0 or later using pip: 'pip install --upgrade litestar>=2.20.0' 2. Restart your application server 3. Clear existing cache to remove potentially poisoned entries

🔧 Temporary Workarounds

Switch to alternative cache backend

all

Use a different cache backend (e.g., Redis, Memcached) instead of FileStore

Modify your Litestar configuration to use a different cache backend

Disable response caching

all

Temporarily disable response caching until patch can be applied

Set response caching to disabled in your Litestar configuration

🧯 If You Can't Patch

  • Implement WAF rules to block suspicious Unicode path patterns
  • Monitor cache access logs for unusual patterns of cache key collisions

🔍 How to Verify

Check if Vulnerable:

Check if using Litestar <2.20.0 with FileStore as response-cache backend

Check Version:

python -c "import litestar; print(litestar.__version__)"

Verify Fix Applied:

Verify Litestar version is 2.20.0 or higher and test cache functionality

📡 Detection & Monitoring

Log Indicators:

  • Multiple cache hits for different URLs with same cache key
  • Unusual Unicode patterns in URL paths

Network Indicators:

  • Requests with specially crafted Unicode paths
  • Cache headers showing incorrect cache keys

SIEM Query:

source="application_logs" AND ("cache key collision" OR "FileStore" AND "cache poisoning")

📊 Metadata

CVE ID: CVE-2026-25480
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-176
EPSS Score: 0.03% exploit probability (7.8th percentile)
Published: February 9, 2026
Last Updated: February 17, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25480, you might also want to check these:

CVE-2023-39213 9.6

This vulnerability in Zoom Desktop Client for Windows and Zoom VDI Client allows an unauthenticated ...

Same vulnerability type (CWE-176)
CVE-2024-24691 9.6

This vulnerability allows an unauthenticated attacker on the same network to escalate privileges on ...

Same vulnerability type (CWE-176)
CVE-2026-23950 8.8

node-tar versions up to 7.5.3 have a race condition vulnerability that allows arbitrary file overwri...

Same vulnerability type (CWE-176)