Authorization Bypass Vulnerability in Axios Cache Interceptor by Arthur Fiorette
CVE-2025-69202

6MEDIUM

Key Information:

Vendor: Arthurfiorette
Status: AxiOS-cache-interceptor
Vendor: CVE Published:; 29 December 2025

🔔 Create Arthurfiorette Vulnerability Alert

What is CVE-2025-69202?

The Axios Cache Interceptor, before version 1.11.1, contains a vulnerability where it fails to account for differing authorization tokens when caching responses from upstream services. Specifically, the cache key is based solely on the URL, disregarding critical request headers like Authorization. This leads to potential authorization bypass, where distinct authenticated users may receive incorrect cached responses as the cache does not differentiate based on authorization. The server’s Vary: Authorization response header is ignored, resulting in a shared cache across sessions that should remain separate. After the update to v1.11.1, proper handling of the Vary header is implemented, ensuring cache segregation based on the authorization provided.

Affected Version(s)

axios-cache-interceptor < 1.11.1

References

https://github.com/arthurfiorette/axios-cache-interceptor...

x_refsource_CONFIRM

https://github.com/arthurfiorette/axios-cache-interceptor...

x_refsource_MISC

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 29, 2025
Vulnerability Reserved
Dec 29, 2025

CVE-2025-69202 Data

JSON