CVE-2026-25480 Overview
CVE-2026-25480 is a cache poisoning vulnerability in Litestar, an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.20.0, the FileStore component maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as a response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup).
Critical Impact
Unauthenticated remote attackers can exploit cache key collisions to poison cached responses, potentially serving malicious or unintended content to users via legitimate URLs.
Affected Products
- Litestar versions prior to 2.20.0
- Applications using FileStore as response-cache backend
- ASGI-based web applications leveraging Litestar caching functionality
Discovery Timeline
- 2026-02-09 - CVE CVE-2026-25480 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25480
Vulnerability Analysis
This vulnerability falls under CWE-176 (Improper Handling of Unicode Encoding), where the FileStore caching mechanism in Litestar improperly processes cache keys through Unicode NFKD (Normalization Form Compatibility Decomposition) normalization combined with ord() character substitution. The fundamental flaw lies in the absence of separators between normalized character representations, which allows distinct input strings to produce identical cache key mappings.
When Litestar's FileStore is configured as the response-cache backend, every cached response is stored using a filename derived from the request URL. The vulnerable normalization process can cause two different URLs to resolve to the same cache filename. An attacker who identifies colliding URL patterns can craft requests that poison the cache, causing legitimate user requests to receive responses intended for different endpoints.
The attack is particularly concerning because it requires no authentication and can be executed entirely over the network. The impact affects both confidentiality (sensitive data from one endpoint may be exposed via another) and integrity (users receive incorrect cached content).
Root Cause
The root cause is the improper implementation of cache key generation in the FileStore component. The algorithm applies Unicode NFKD normalization followed by ord() substitution to convert cache keys into filenames. Without proper separators or delimiters between the ordinal representations of characters, distinct input strings can collide into identical output filenames. This collision space enables attackers to predictably craft URLs that map to the same cache entry as legitimate endpoints.
Attack Vector
The attack is network-based and does not require authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying URL patterns that collide after Unicode NFKD normalization and ord() substitution
- Sending requests with crafted paths that map to the same cache key as target endpoints
- Poisoning the cache with attacker-controlled or misleading content
- Waiting for legitimate users to request the target URL, which now serves the poisoned cached response
The vulnerability manifests in the FileStore cache key normalization logic. The fix implemented in version 2.20.0 addresses the collision issue by properly separating ordinal values during filename generation. For technical implementation details, see the GitHub Commit Details and the GitHub Security Advisory GHSA-vxqx-rh46-q2pg.
Detection Methods for CVE-2026-25480
Indicators of Compromise
- Unexpected cache behavior where responses do not match requested URLs
- Users reporting receiving incorrect page content or data from different endpoints
- Anomalous web request patterns with Unicode characters or unusual URL encodings in path segments
- Cache entries with suspiciously similar filenames for different logical endpoints
Detection Strategies
- Monitor web server access logs for requests containing unusual Unicode normalization patterns or character sequences that could indicate collision attempts
- Implement cache integrity verification by comparing response content with expected endpoint data
- Deploy application-layer monitoring to detect cache hit/miss anomalies that deviate from normal traffic patterns
- Review FileStore cache directory for filename collisions or duplicate entries
Monitoring Recommendations
- Enable verbose logging for cache operations in Litestar applications to track key generation and storage events
- Set up alerts for unusual cache hit ratios or unexpected cache invalidation patterns
- Monitor for increased error rates or user complaints about receiving incorrect content
- Implement periodic cache audits to identify potential collision artifacts
How to Mitigate CVE-2026-25480
Immediate Actions Required
- Upgrade Litestar to version 2.20.0 or later immediately
- Review application configurations to identify deployments using FileStore as the response-cache backend
- Clear existing cache stores after upgrading to remove any potentially poisoned entries
- Consider temporarily disabling response caching until the upgrade is applied if immediate patching is not possible
Patch Information
The vulnerability has been fixed in Litestar version 2.20.0. The patch modifies the cache key generation algorithm to properly separate ordinal values, eliminating the collision vulnerability. Organizations should upgrade to this version or later to remediate the issue.
For detailed patch information, refer to:
Workarounds
- Switch to an alternative cache backend (such as Redis or Memcached) that does not use the vulnerable FileStore key normalization
- Implement a custom cache key function that uses collision-resistant hashing (e.g., SHA-256) before passing keys to FileStore
- Add input validation to reject or normalize URLs at the application layer before they reach the caching mechanism
- Disable response caching entirely for sensitive endpoints until the upgrade can be completed
# Example: Verify Litestar version and upgrade
pip show litestar | grep Version
pip install --upgrade litestar>=2.20.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
