CVE-2025-69202
Unknown Unknown - Not Provided
Authorization Bypass in axios-cache-interceptor via Cache Key Misuse

Publication date: 2025-12-29

Last updated on: 2025-12-29

Assigner: GitHub, Inc.

Description
Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignoring request headers like `Authorization`. When the server responds with `Vary: Authorization` (indicating the response varies by auth token), the library ignores this, causing all requests to share the same cache regardless of authorization. Server-side applications (APIs, proxies, backend services) that use axios-cache-interceptor to cache requests to upstream services, handle requests from multiple users with different auth tokens, and upstream services replies on `Vary` to differentiate caches are affected. Browser/client-side applications (single user per browser session) are not affected. Services using different auth tokens to call upstream services will return incorrect cached data, bypassing authorization checks and leaking user data across different authenticated sessions. After `v1.11.1`, automatic `Vary` header support is now enabled by default. When server responds with `Vary: Authorization`, cache keys now include the authorization header value. Each user gets their own cache.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-29
Last Modified
2025-12-29
Generated
2026-05-07
AI Q&A
2025-12-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-69202
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
axios axios_cache_interceptor 1.11.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
CWE-573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in axios-cache-interceptor versions prior to 1.11.1, where the cache key is generated only from the URL and ignores request headers like Authorization. When a server responds with a Vary: Authorization header, indicating that responses vary based on the authorization token, the library incorrectly shares the same cached response across different auth tokens. This leads to authorization bypass because users can receive cached data intended for other users with different tokens.


How can this vulnerability impact me? :

If your server-side application uses axios-cache-interceptor to cache requests to upstream services and handles requests from multiple users with different authorization tokens, this vulnerability can cause incorrect cached data to be returned. This means users might receive data they are not authorized to see, leading to authorization bypass and potential leakage of sensitive user data across different authenticated sessions.


What immediate steps should I take to mitigate this vulnerability?

Upgrade axios-cache-interceptor to version 1.11.1 or later, where automatic support for the Vary header is enabled by default. This ensures that cache keys include the Authorization header value when the server responds with Vary: Authorization, preventing authorization bypass and incorrect cached responses.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability can lead to authorization bypass and leakage of sensitive user data across different authenticated sessions due to incorrect caching of responses ignoring the Authorization header. Such unauthorized data exposure can violate data protection and privacy regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information. Therefore, affected applications using vulnerable versions of axios-cache-interceptor risk non-compliance with these standards until they upgrade to version 1.11.1 or later, which fixes the issue by properly including the Authorization header in cache keys. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

To detect this vulnerability, you can monitor server-side applications using axios-cache-interceptor versions prior to 1.11.1 that cache upstream service requests with different Authorization tokens. A practical approach is to test if cached responses are incorrectly shared across requests with different Authorization headers when the upstream service responds with a `Vary: Authorization` header. For example, you can use curl commands to send requests with different Authorization tokens to the affected service and observe if the responses are incorrectly identical, indicating cache poisoning. Example commands: 1. curl -H "Authorization: Bearer 123" https://your-api.example.com/endpoint 2. curl -H "Authorization: Bearer 456" https://your-api.example.com/endpoint If both commands return the same cached response despite different tokens and the upstream service uses `Vary: Authorization`, the vulnerability is present. Additionally, reviewing axios-cache-interceptor version used in your application and upgrading to version 1.11.1 or later is recommended to remediate the issue. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart