DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25480: The Kelvin Collision: Breaking Litestar's Cache with Basic Arithmetic

#security #cve #cybersecurity

The Kelvin Collision: Breaking Litestar's Cache with Basic Arithmetic

Vulnerability ID: CVE-2026-25480
CVSS Score: 6.5
Published: 2026-02-09

A critical flaw in Litestar's FileStore component allows remote attackers to poison the server-side cache by exploiting a naive filename sanitization algorithm. By crafting specific request paths containing non-alphanumeric characters or Unicode anomalies (like the Kelvin sign), an attacker can force a filename collision on the disk, overwriting legitimate cache entries with malicious content.

TL;DR

Litestar's file-based caching mechanism used a lossy string replacement method to generate filenames from keys. It replaced special characters with their ASCII decimal values (e.g., '-' becomes '45') without separators. This allows attackers to craft URLs that resolve to the same cache file as legitimate URLs, leading to cache poisoning.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-178
  • Attack Vector: Network
  • CVSS Score: 6.5
  • Impact: Cache Poisoning
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • Litestar Framework < 2.20.0 using FileStore
  • Litestar: < 2.20.0 (Fixed in: 2.20.0)

Code Analysis

Commit: 85db618

fix: use hash for file store names to prevent collisions

def _safe_file_name(name: str) -> str:
-    name = unicodedata.normalize("NFKD", name)
-    return "".join(c if c.isalnum() else str(ord(c)) for c in name)
+    return hashlib.blake2s(name.encode()).hexdigest()
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: Local reproduction using Python script to demonstrate string collision.

Mitigation Strategies

  • Update Litestar to version 2.20.0 or higher immediately.
  • Switch from FileStore to RedisStore or MemoryStore if patching is not immediately feasible, as these stores do not rely on the vulnerable filename generation logic.
  • Implement strict input validation on API parameters to reject unexpected characters (like hyphens in numeric ID fields) before they reach the caching layer.

Remediation Steps:

  1. Run pip install --upgrade litestar to fetch the latest version.
  2. Clear the existing FileStore directory manually (e.g., rm -rf /tmp/litestar_cache/*) to remove any potentially poisoned cache entries created prior to the patch.
  3. Verify the update by checking litestar.__version__ in your application environment.

References

Read the full report for CVE-2026-25480 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)