CVE-2025-69202

Name of the Vulnerable Software and Affected Versions Axios Cache Interceptor versions prior to 1.11.1

Description Axios Cache Interceptor, a cache interceptor for axios, improperly handles responses with the Vary: Authorization header. Prior to version 1.11.1, the cache key was generated solely from the URL, disregarding request headers like Authorization. This resulted in incorrect cached responses being returned when a server made requests to an upstream service using different authentication tokens, leading to potential authorization bypass. Server-side applications utilizing axios-cache-interceptor to cache requests to upstream services, handling requests from multiple users with differing authentication tokens, and relying on the Vary header for cache differentiation are susceptible. Browser or client-side applications, where each session is tied to a single user, are not affected. The issue arises because the library ignores the Vary header, causing all requests to share the same cache irrespective of authorization. This can lead to the leakage of user data across authenticated sessions. After version 1.11.1, support for the Vary header is enabled by default, including the authorization header value in the cache key.

Recommendations Upgrade to version 1.11.1 or later to benefit from the automatic Vary header support.