CVE-2026-25480: Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)

February 9, 2026

FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup)

References

github.com/advisories/GHSA-vxqx-rh46-q2pg
github.com/litestar-org/litestar
github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pg
nvd.nist.gov/vuln/detail/CVE-2026-25480

Code Behaviors & Features

Detect and mitigate CVE-2026-25480 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →