The vulnerability CVE-2026-25480 affects the litestar ASGI framework, specifically its FileStore cache backend prior to version 2.20.0. FileStore maps cache keys to filenames by applying Unicode NFKD normalization followed by ord() substitution of characters, but critically, it does so without inserting separators between character codes. This approach can cause distinct cache keys to collide if crafted Unicode paths normalize to the same sequence of ord() values concatenated together. An unauthenticated remote attacker can exploit this by sending specially crafted URL paths that cause the cache to serve responses intended for different URLs, effectively poisoning or mixing cached responses. This can lead to confidentiality breaches by exposing cached data from one user or request to another, and integrity issues by serving incorrect or maliciously crafted content. The vulnerability does not affect availability and requires no authentication or user interaction, making it remotely exploitable over the network. The issue stems from improper handling of Unicode normalization (CWE-176) and inadequate separation of cache key components. The vulnerability was publicly disclosed on February 9, 2026, with a CVSS v3.1 score of 6.5 (medium severity), reflecting its network attack vector, low attack complexity, no privileges required, and impact on confidentiality and integrity but not availability. The fix was introduced in litestar version 2.20.0 by correcting the cache key mapping to avoid collisions. No known exploits have been reported in the wild to date.

For European organizations using litestar versions prior to 2.20.0, particularly those employing the FileStore cache backend for response caching, this vulnerability poses a risk of cache poisoning. This can lead to unauthorized disclosure of cached content, potentially exposing sensitive information across different users or requests. Additionally, integrity of served content can be compromised, resulting in users receiving incorrect or maliciously altered responses. While availability is not directly impacted, the trustworthiness and confidentiality of web applications relying on litestar caching are at risk. Organizations in sectors handling sensitive data—such as finance, healthcare, and government—may face regulatory and reputational consequences if such data leakage occurs. The vulnerability's ease of exploitation without authentication increases risk, especially for public-facing web services. However, the absence of known exploits in the wild suggests limited active exploitation currently, but proactive mitigation is critical to prevent future attacks.

The primary and most effective mitigation is to upgrade all litestar deployments to version 2.20.0 or later, where the cache key collision issue is resolved. Organizations should audit their use of the FileStore cache backend and assess whether any cached responses could have been affected. For environments where immediate upgrade is not feasible, consider disabling the FileStore response cache backend or replacing it with alternative caching mechanisms that properly handle Unicode normalization and key separation. Implement monitoring to detect unusual cache behavior or unexpected content served from cache. Additionally, review application-level input validation and normalization of URL paths to reduce the risk of crafted inputs triggering cache collisions. Security teams should also ensure that web application firewalls (WAFs) and intrusion detection systems are tuned to detect anomalous requests that might exploit this vulnerability. Finally, maintain an inventory of affected systems and ensure timely patch management processes are in place to prevent exploitation.