CVE-2025-69202 – Axios Cache Interceptor versions before 1.11.1 ... (How to Fix)

Q: What is the severity of CVE-2025-69202?

CVE-2025-69202 has a CVSS score of 6.5 (MEDIUM). Axios Cache Interceptor versions before 1.11.1 incorrectly cache responses without considering Authorization headers, allowing cached responses from one user's authenticated session to be served to other users with different auth tokens. This leads to authorization bypass and potential data leakage across user sessions. Only server-side applications using axios-cache-interceptor to call upstream services with different auth tokens are affected.

📋 TL;DR

Axios Cache Interceptor versions before 1.11.1 incorrectly cache responses without considering Authorization headers, allowing cached responses from one user's authenticated session to be served to other users with different auth tokens. This leads to authorization bypass and potential data leakage across user sessions. Only server-side applications using axios-cache-interceptor to call upstream services with different auth tokens are affected.

💻 Affected Systems

Products:

axios-cache-interceptor

Versions: All versions before 1.11.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects server-side applications using axios-cache-interceptor to call upstream services with different auth tokens. Browser/client-side applications are not affected.

📦 What is this software?

Axios Cache Interceptor by Axios Cache Interceptor

View all CVEs affecting Axios Cache Interceptor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive user data from one authenticated session is served to unauthorized users, leading to complete authorization bypass and data leakage across all user sessions.

🟠

Likely Case

Users receive cached responses from other users' sessions, potentially exposing personal data, preferences, or authorization tokens to unauthorized parties.

🟢

If Mitigated

With proper controls, impact is limited to potential performance degradation from cache misses, but no data leakage occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the vulnerable application and understanding of cache behavior. The vulnerability is inherent to the library's design.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.1

Vendor Advisory: https://github.com/arthurfiorette/axios-cache-interceptor/security/advisories/GHSA-x4m5-4cw8-vc44

Restart Required: Yes

Instructions:

1. Update axios-cache-interceptor to version 1.11.1 or later. 2. Run npm update axios-cache-interceptor or yarn upgrade axios-cache-interceptor. 3. Restart your application server.

🔧 Temporary Workarounds

Disable caching for requests with Authorization headers

all

Manually configure axios-cache-interceptor to skip caching for requests that include Authorization headers

// In your axios configuration:
axios.create({
  adapter: setupCache(axios.defaults.adapter, {
    methods: ['get'],
    cachePredicate: {
      responseMatch: (response) => !response.config.headers.Authorization
    }
  })
})

🧯 If You Can't Patch

Disable axios-cache-interceptor entirely for all requests that use Authorization headers
Implement application-level caching that properly respects Vary headers and authorization tokens

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/axios-cache-interceptor/package.json for version number. If version is less than 1.11.1, the system is vulnerable.

Check Version:

npm list axios-cache-interceptor | grep axios-cache-interceptor

Verify Fix Applied:

Verify the installed version is 1.11.1 or higher and test that requests with different Authorization headers do not share cache responses.

📡 Detection & Monitoring

Log Indicators:

Multiple users receiving identical cached responses despite different auth tokens
Cache hits for requests with varying Authorization headers

Network Indicators:

Identical response bodies for requests with different Authorization headers
Missing Vary: Authorization header in upstream service responses

SIEM Query:

Search for identical response payloads across multiple user sessions within short timeframes when using axios-cache-interceptor

📊 Metadata

CVE ID: CVE-2025-69202

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-524

EPSS Score: 0.04% exploit probability (11.9th percentile)

Published: December 29, 2025

Last Updated: January 5, 2026

🔗 References

https://github.com/arthurfiorette/axios-cache-interceptor/commit/49a808059dfc081b9cc23d48f243d55dfce15f01 Patch
https://github.com/arthurfiorette/axios-cache-interceptor/security/advisories/GHSA-x4m5-4cw8-vc44 Exploit,Vendor Advisory,Mitigation
https://github.com/arthurfiorette/axios-cache-interceptor/security/advisories/GHSA-x4m5-4cw8-vc44 Exploit,Vendor Advisory,Mitigation

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69202, you might also want to check these: