CVE-2026-25480

Name: CVE-2026-25480
Creator: NVD / NIST
Published: 2026-02-09T20:15:57.33+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 0.41%

Last modified Jun 17, 2026

CVE-2026-25480 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. EPSS estimates a 0.41% chance of exploitation in the next 30 days.

Description

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Probability

0.41%

32.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-176

Affected Software

Vendor	Product	Versions
Litestar	Litestar	< 2.20.0

References

https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0Release Notes
https://github.com/litestar-org/litestar/commit/85db6183a76f8a6b3fd6ee3c88d860b9f37a2ccaPatch
https://github.com/litestar-org/litestar/releases/tag/v2.20.0Release Notes
https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pgExploit, Vendor Advisory

Timeline

Published: Feb 9, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-25480?

How severe is CVE-2026-25480?

CVE-2026-25480 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.41% probability of exploitation in the next 30 days.

How do I fix CVE-2026-25480?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-25480?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST