cvedb.io
CVE-2025-69202
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2025-12-29T20:15:42.107 · Last modified 2026-06-17T10:00:16.710

Summary

Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignoring request headers like `Authorization`. When the server responds with `Vary: Authorization` (indicating the response varies by auth token), the library ignores this, causing all requests to share the same cache regardless of authorization. Server-side applications (APIs, proxies, backend services) that use axios-cache-interceptor to cache requests to upstream services, handle requests from multiple users with different auth tokens, and upstream services replies on `Vary` to differentiate caches ar

Affected products

axios-cache-interceptor — axios_cache_interceptor

Does this affect you?

Add your gear to cvedb and we'll alert you only when axios-cache-interceptor ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.