← Voltar para CVEs

CVE-2026-25480

MEDIUM

6.5

Descricao

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.

Detalhes CVE

Pontuacao CVSS v3.16.5

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado2/9/2026

Ultima modificacao2/17/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

litestar:litestar

Fraquezas (CWE)

CWE-176

Referencias

https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0(security-advisories@github.com)

https://github.com/litestar-org/litestar/commit/85db6183a76f8a6b3fd6ee3c88d860b9f37a2cca(security-advisories@github.com)

https://github.com/litestar-org/litestar/releases/tag/v2.20.0(security-advisories@github.com)

https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pg(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.