CVE-2026-25480 affects the litestar asynchronous server gateway interface (ASGI) framework, specifically versions prior to 2.20.0. The vulnerability stems from the FileStore cache backend's method of mapping cache keys to filenames. FileStore uses Unicode NFKD normalization combined with ord() substitution without separators to generate filenames from cache keys. This approach can cause different Unicode inputs to normalize into identical filenames, resulting in cache key collisions. An unauthenticated remote attacker can exploit this by sending specially crafted URL paths that produce colliding cache keys. Consequently, the cache may serve a cached response from one URL when another URL is requested, effectively poisoning the cache or mixing responses. This can lead to unauthorized information disclosure and integrity violations, as users may receive incorrect or sensitive data not intended for them. The vulnerability does not require authentication or user interaction and is exploitable over the network. The flaw is categorized under CWE-176 (Improper Handling of Unicode Encoding). The issue was resolved in litestar version 2.20.0 by correcting the key-to-filename mapping to prevent collisions. No known exploits are reported in the wild as of now.

For European organizations, the impact of CVE-2026-25480 can be significant if they deploy web applications using vulnerable versions of litestar with FileStore caching enabled. The primary risk is cache poisoning, where an attacker can cause users to receive cached responses intended for other URLs, potentially exposing sensitive information or causing data integrity issues. This can undermine user trust and lead to compliance violations under regulations like GDPR if personal data is inadvertently disclosed. The vulnerability's unauthenticated, network-based exploitability increases the attack surface, especially for public-facing services. While availability is not affected, confidentiality and integrity impacts can disrupt business operations and damage reputations. Organizations relying on litestar for critical services or handling sensitive data should consider this vulnerability a moderate risk that requires prompt remediation.

The primary mitigation is to upgrade litestar to version 2.20.0 or later, where the vulnerability is fixed. Organizations should audit their applications to identify any use of the FileStore cache backend and confirm the litestar version in use. If immediate upgrading is not feasible, consider disabling FileStore as the response-cache backend or replacing it with an alternative caching mechanism that does not suffer from Unicode normalization issues. Implement strict input validation and normalization on URL paths to reduce the risk of crafted inputs causing collisions. Additionally, monitor cache behavior for anomalies that may indicate cache poisoning attempts. Employ web application firewalls (WAFs) with rules to detect and block suspicious URL patterns. Finally, maintain an incident response plan to quickly address any suspected exploitation.