CVE-2025-69202: CWE-524: Use of Cache Containing Sensitive Information in arthurfiorette axios-cache-interceptor
Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignoring request headers like `Authorization`. When the server responds with `Vary: Authorization` (indicating the response varies by auth token), the library ignores this, causing all requests to share the same cache regardless of authorization. Server-side applications (APIs, proxies, backend services) that use axios-cache-interceptor to cache requests to upstream services, handle requests from multiple users with different auth tokens, and upstream services replies on `Vary` to differentiate caches are affected. Browser/client-side applications (single user per browser session) are not affected. Services using different auth tokens to call upstream services will return incorrect cached data, bypassing authorization checks and leaking user data across different authenticated sessions. After `v1.11.1`, automatic `Vary` header support is now enabled by default. When server responds with `Vary: Authorization`, cache keys now include the authorization header value. Each user gets their own cache.
AI Analysis
Technical Summary
Axios-cache-interceptor is a caching library for axios HTTP client that improves performance by caching upstream service responses. Prior to version 1.11.1, the library generated cache keys based only on the request URL, ignoring request headers such as Authorization. When an upstream service responds with a Vary: Authorization header, it indicates that the response content varies depending on the Authorization token used. However, axios-cache-interceptor ignored this header, causing all requests to share the same cached response regardless of differing auth tokens. This results in server-side applications (such as APIs, proxies, or backend services) that handle multiple users with different authorization tokens receiving cached responses intended for other users. Consequently, this leads to authorization bypass and leakage of sensitive information across authenticated sessions. The vulnerability is tracked as CVE-2025-69202 and is categorized under CWE-524 (Use of Cache Containing Sensitive Information), CWE-573 (Improper Handling of HTTP Vary Header), and CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS 4.0 score is 6.0 (medium severity), reflecting network attack vector, high complexity, partial privileges required, no user interaction, and high impact on confidentiality. The issue is fixed in version 1.11.1 by enabling automatic support for the Vary header, including the Authorization header value in cache keys, ensuring cache isolation per user token. Browser or client-side applications are not affected since they typically handle a single user session. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure and privacy breaches, especially for those operating multi-tenant backend services, API gateways, or proxies that cache responses from upstream services using axios-cache-interceptor. Sensitive user data could be leaked across different authenticated sessions, violating GDPR and other data protection regulations. The impact includes loss of confidentiality, potential regulatory fines, reputational damage, and erosion of customer trust. Organizations relying on microservices architectures or cloud-native applications that use axios-cache-interceptor for caching authenticated requests are particularly vulnerable. The flaw could be exploited by attackers or malicious insiders with low privileges to access data belonging to other users without proper authorization. Although exploitation complexity is high due to the need for specific caching and header conditions, the widespread use of axios and caching libraries in modern web applications increases the attack surface. The vulnerability does not affect client-side applications, limiting the scope to server-side deployments. Overall, the impact is medium but with potential for serious data breaches if left unmitigated.
Mitigation Recommendations
European organizations should immediately upgrade axios-cache-interceptor to version 1.11.1 or later, where the vulnerability is fixed by including the Authorization header in cache keys when the upstream service responds with Vary: Authorization. Additionally, organizations should audit all backend services and API gateways that use axios-cache-interceptor or similar caching mechanisms to ensure proper handling of Vary headers and authorization tokens. Implement strict cache key generation policies that incorporate all headers affecting response content, especially Authorization. Conduct thorough code reviews and penetration testing focused on caching logic and authorization enforcement. Where possible, disable caching of sensitive authenticated responses or use cache partitioning per user session. Monitor logs for anomalous cache hits or unexpected data access patterns. Educate developers about the security implications of caching sensitive data and the importance of respecting HTTP caching semantics. Finally, maintain an inventory of all services using axios-cache-interceptor to ensure timely patching and compliance with data protection requirements.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland, Belgium, Ireland
CVE-2025-69202: CWE-524: Use of Cache Containing Sensitive Information in arthurfiorette axios-cache-interceptor
Description
Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignoring request headers like `Authorization`. When the server responds with `Vary: Authorization` (indicating the response varies by auth token), the library ignores this, causing all requests to share the same cache regardless of authorization. Server-side applications (APIs, proxies, backend services) that use axios-cache-interceptor to cache requests to upstream services, handle requests from multiple users with different auth tokens, and upstream services replies on `Vary` to differentiate caches are affected. Browser/client-side applications (single user per browser session) are not affected. Services using different auth tokens to call upstream services will return incorrect cached data, bypassing authorization checks and leaking user data across different authenticated sessions. After `v1.11.1`, automatic `Vary` header support is now enabled by default. When server responds with `Vary: Authorization`, cache keys now include the authorization header value. Each user gets their own cache.
AI-Powered Analysis
Technical Analysis
Axios-cache-interceptor is a caching library for axios HTTP client that improves performance by caching upstream service responses. Prior to version 1.11.1, the library generated cache keys based only on the request URL, ignoring request headers such as Authorization. When an upstream service responds with a Vary: Authorization header, it indicates that the response content varies depending on the Authorization token used. However, axios-cache-interceptor ignored this header, causing all requests to share the same cached response regardless of differing auth tokens. This results in server-side applications (such as APIs, proxies, or backend services) that handle multiple users with different authorization tokens receiving cached responses intended for other users. Consequently, this leads to authorization bypass and leakage of sensitive information across authenticated sessions. The vulnerability is tracked as CVE-2025-69202 and is categorized under CWE-524 (Use of Cache Containing Sensitive Information), CWE-573 (Improper Handling of HTTP Vary Header), and CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS 4.0 score is 6.0 (medium severity), reflecting network attack vector, high complexity, partial privileges required, no user interaction, and high impact on confidentiality. The issue is fixed in version 1.11.1 by enabling automatic support for the Vary header, including the Authorization header value in cache keys, ensuring cache isolation per user token. Browser or client-side applications are not affected since they typically handle a single user session. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure and privacy breaches, especially for those operating multi-tenant backend services, API gateways, or proxies that cache responses from upstream services using axios-cache-interceptor. Sensitive user data could be leaked across different authenticated sessions, violating GDPR and other data protection regulations. The impact includes loss of confidentiality, potential regulatory fines, reputational damage, and erosion of customer trust. Organizations relying on microservices architectures or cloud-native applications that use axios-cache-interceptor for caching authenticated requests are particularly vulnerable. The flaw could be exploited by attackers or malicious insiders with low privileges to access data belonging to other users without proper authorization. Although exploitation complexity is high due to the need for specific caching and header conditions, the widespread use of axios and caching libraries in modern web applications increases the attack surface. The vulnerability does not affect client-side applications, limiting the scope to server-side deployments. Overall, the impact is medium but with potential for serious data breaches if left unmitigated.
Mitigation Recommendations
European organizations should immediately upgrade axios-cache-interceptor to version 1.11.1 or later, where the vulnerability is fixed by including the Authorization header in cache keys when the upstream service responds with Vary: Authorization. Additionally, organizations should audit all backend services and API gateways that use axios-cache-interceptor or similar caching mechanisms to ensure proper handling of Vary headers and authorization tokens. Implement strict cache key generation policies that incorporate all headers affecting response content, especially Authorization. Conduct thorough code reviews and penetration testing focused on caching logic and authorization enforcement. Where possible, disable caching of sensitive authenticated responses or use cache partitioning per user session. Monitor logs for anomalous cache hits or unexpected data access patterns. Educate developers about the security implications of caching sensitive data and the importance of respecting HTTP caching semantics. Finally, maintain an inventory of all services using axios-cache-interceptor to ensure timely patching and compliance with data protection requirements.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-29T14:48:28.442Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 695450b2db813ff03e2bee73
Added to database: 12/30/2025, 10:22:42 PM
Last enriched: 12/30/2025, 11:13:39 PM
Last updated: 2/7/2026, 12:37:40 AM
Views: 38
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25762: CWE-400: Uncontrolled Resource Consumption in adonisjs core
HighCVE-2026-25754: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in adonisjs core
HighCVE-2026-25644: CWE-295: Improper Certificate Validation in datahub-project datahub
HighCVE-2026-25804: CWE-287: Improper Authentication in antrea-io antrea
HighCVE-2026-25803: CWE-798: Use of Hard-coded Credentials in denpiligrim 3dp-manager
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.