DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-69202: The Shared Hallucination: Authorization Bypass in axios-cache-interceptor

#security #cve #cybersecurity

The Shared Hallucination: Authorization Bypass in axios-cache-interceptor

Vulnerability ID: CVE-2025-69202
CVSS Score: 6.5
Published: 2025-12-30

A critical failure in cache key generation allows unprivileged users to inherit the sessions of privileged users in server-side implementations of axios-cache-interceptor.

TL;DR

The popular library 'axios-cache-interceptor' (< 1.11.1) failed to respect the HTTP 'Vary' header. This effectively treats authenticated responses as global public assets. If an Admin visits a page, the library caches it. If a Guest visits the same page immediately after, they get the Admin's cached view, bypassing backend authentication checks entirely.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-524 (Sensitive Information in Cache)
  • Attack Vector: Network (AV:N)
  • Impact: Confidentiality High, Authorization Bypass
  • CVSS Score: 6.5 (Medium)
  • Exploit Status: PoC Available (in unit tests)
  • Fix Version: 1.11.1

Affected Systems

  • Node.js Backend-for-Frontends (BFF)
  • SSR Applications (Next.js/Nuxt.js using custom axios instances)
  • API Proxies using axios-cache-interceptor
  • axios-cache-interceptor: < 1.11.1 (Fixed in: 1.11.1)

Code Analysis

Commit: 49a8080

fix: add vary header support to key generator

ts
+    const vary = response.headers[headerNames.vary] || response.headers['vary'];
+    if (vary) { ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Integration tests demonstrating cache collision fixes for Vary headers

Mitigation Strategies

  • Update to version 1.11.1+
  • Disable caching for authenticated routes if patching is impossible
  • Implement custom key generators that explicitly hash the Authorization header

Remediation Steps:

  1. Run npm install axios-cache-interceptor@latest or yarn upgrade axios-cache-interceptor.
  2. Review codebase for custom generateKey functions that might override the new default safe behavior.
  3. Verify the fix by sending concurrent requests with different Auth tokens to the same endpoint and asserting unique responses.

References

Read the full report for CVE-2025-69202 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)