Litestar FileStore Cache Key Collision Vulnerability Allowing Cache Poisoning

A vulnerability in Litestar's FileStore response caching mechanism prior to version 2.20.0 can lead to cache key collisions and subsequent cache poisoning. FileStore normalizes cache keys using Unicode NFKD normalization and ordinal substitution without separators, creating collisions that an unauthenticated remote attacker can exploit. This vulnerability arises because the default cache key includes the request path and sorted query parameters, both of which can be controlled by the attacker. As a result, one URL can serve cached responses intended for another, potentially causing confidentiality and integrity issues depending on the cached endpoints.

Impact

Exploitation of this vulnerability causes cache key collisions, leading to one URL serving cached responses from another, which can disrupt the application's response handling and potentially expose sensitive information or cause incorrect data to be presented to the user.

Reproduction

The vulnerability can be reproduced by using Litestar's FileStore as a response cache backend. When a request is made to a path that has been crafted to exploit the key collision issue, the cache will incorrectly serve a response from a different URL that has been cached under the same key. This can be done by normalizing a key with a Kelvin sign, which collides with a regular 'K', or by using a path that exploits the ord() substitution without separators, causing a collision with another key.

Remediation

Users can update to Litestar version 2.20.0 or later, where this vulnerability has been fixed.