CVE-2025-69202

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-69202

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69202.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-69202

Aliases

GHSA-x4m5-4cw8-vc44

Published

2025-12-29T19:13:27.880Z

Modified

2026-03-14T12:44:45.646792Z

Severity

6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header

Details

Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignoring request headers like Authorization. When the server responds with Vary: Authorization (indicating the response varies by auth token), the library ignores this, causing all requests to share the same cache regardless of authorization. Server-side applications (APIs, proxies, backend services) that use axios-cache-interceptor to cache requests to upstream services, handle requests from multiple users with different auth tokens, and upstream services replies on Vary to differentiate caches are affected. Browser/client-side applications (single user per browser session) are not affected. Services using different auth tokens to call upstream services will return incorrect cached data, bypassing authorization checks and leaking user data across different authenticated sessions. After v1.11.1, automatic Vary header support is now enabled by default. When server responds with Vary: Authorization, cache keys now include the authorization header value. Each user gets their own cache.

Database specific

{
    "cwe_ids": [
        "CWE-524",
        "CWE-573",
        "CWE-639"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69202.json"
}

References

Affected packages

Git / github.com/arthurfiorette/axios-cache-interceptor

Affected ranges

Type: GIT
Repo: https://github.com/arthurfiorette/axios-cache-interceptor
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b1e0d2802f286fdb2846e7617b432f9b3b2fea81

Affected versions

1.*

1.6.1

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.10.0

v0.10.1

v0.10.2

v0.10.3

v0.10.4

v0.10.5

v0.10.6

v0.10.7

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.3.0

v0.4.0

v0.4.1

v0.5.0

v0.5.1

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.7.0

v0.7.0-beta1

v0.7.0-beta2

v0.7.0-beta3

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.7.9

v0.8.0

v0.8.0-beta1

v0.8.1

v0.8.10

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v0.8.7

v0.8.8

v0.8.9

v0.9.0

v0.9.1

v0.9.2

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.1.1

v1.10.0

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.4.1

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.6.0

v1.6.1

v1.6.2

v1.7.0

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.9.0

v1.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69202.json"