The Shared Hallucination: Authorization Bypass in axios-cache-interceptor

Amit Schendel

Senior Security Researcher

Jan 1, 2026·6 min read·9 visits

PoC Available

Executive Summary (TL;DR)

The popular library 'axios-cache-interceptor' (< 1.11.1) failed to respect the HTTP 'Vary' header. This effectively treats authenticated responses as global public assets. If an Admin visits a page, the library caches it. If a Guest visits the same page immediately after, they get the Admin's cached view, bypassing backend authentication checks entirely.

A critical failure in cache key generation allows unprivileged users to inherit the sessions of privileged users in server-side implementations of axios-cache-interceptor.

Attack Flow Diagram

Official Patches

axios-cache-interceptorGitHub Commit fixing the issue

Fix Analysis (1)

Technical Appendix

CVSS Score

6.5/ 10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.04%

Top 100% most exploited

Affected Systems

Node.js Backend-for-Frontends (BFF)SSR Applications (Next.js/Nuxt.js using custom axios instances)API Proxies using axios-cache-interceptor

Affected Versions Detail

Product	Affected Versions	Fixed Version
axios-cache-interceptor Arthur Fiorette	< 1.11.1	1.11.1

Attribute	Detail
CWE ID	CWE-524 (Sensitive Information in Cache)
Attack Vector	Network (AV:N)
Impact	Confidentiality High, Authorization Bypass
CVSS Score	6.5 (Medium)
Exploit Status	PoC Available (in unit tests)
Fix Version	1.11.1

MITRE ATT&CK Mapping

T1557Adversary-in-the-Middle

Credential Access

T1213Data from Information Repositories

Collection

CWE-524

Information Disclosure via Cache

Use of Cache Containing Sensitive Information

Known Exploits & Detection

GitHubIntegration tests demonstrating cache collision fixes for Vary headers

Vulnerability Timeline

Patch Committed

2025-02-12

GHSA Advisory Published

2025-02-14