21 matches found
undici: Undici: Information disclosure due to improper cache-control header parsing
A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from...
Linux Distros Unpatched Vulnerability : CVE-2026-9678
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified...
SUSE CVE-2026-9678
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...
EUVD-2026-37766
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass...
Use of Cache Containing Sensitive Information
Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the cache interceptor. An attacker can obtain another user's authenticated response data by exploiting whitespace-padded...
Use of Cache Containing Sensitive Information
Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the cache interceptor. An attacker can obtain another user's authenticated response data by exploiting...
CVE-2026-9678
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...
UBUNTU-CVE-2026-9678
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...
CVE-2026-9678
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...
PT-2026-50515
Name of the Vulnerable Software and Affected Versions undici versions prior to 7.28.0 undici versions prior to 8.5.0 Description The cache interceptor incorrectly classifies certain responses as cacheable when the upstream Cache-Control header contains whitespace-padded qualified private or...
Authorization Bypass
Axios Cache Interceptor is vulnerable to an Authorization Bypass. The vulnerability is due to improper cache key generation, where cached responses are keyed only by URL and ignore the Authorization header and Vary: Authorization, causing responses generated for one user’s auth token to be reused...
@0xecho/button (>=0.0.1 <=0.0.17), @anguyenguy/frontend-platform (>=1.0.1 <=1.0.2) +68 more potentially affected by CVE-2025-69202 via axios-cache-interceptor (>=0.10.7 <=1.0.0)
axios-cache-interceptor NPM version =0.10.7, =0.0.1, =1.0.1, =0.4.0, =0.0.1, =5.0.2-alpha.1-nelp.1, =0.1.0-testing, =3.3.0-alpha.1, =1.1.0, =1.0.0, =1.0.0-semantically-released, =11.7.0, =4.8.1, =5.5.0 and more Source cves: CVE-2025-69202 Source advisory: OSV:GHSA-X4M5-4CW8-VC44...
GHSA-X4M5-4CW8-VC44 axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header
Summary When a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. Details The cache key is generated only from the URL, ignoring request headers like Authorization. When the server responds wit...
axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header
Summary When a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. Details The cache key is generated only from the URL, ignoring request headers like Authorization. When the server responds wit...
@tutkli/jikan-ts (>=0.6.1 <=0.6.3) potentially affected by CVE-2025-69202 via axios-cache-interceptor (=1.0.0)
axios-cache-interceptor NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on axios-cache-interceptor and may be impacted: - @tutkli/jikan-ts =0.6.1, =0.6.3 Source cves: CVE-2025-69202 Source advisory: SNYK:JS-AXIOSCACHEINTERCEPTOR-1472426...
Cache Poisoning
Overview axios-cache-interceptor is a Cache interceptor for axios Affected versions of this package are vulnerable to Cache Poisoning by ignoring the Vary HTTP header. An attacker can access unauthorized cached responses to obtain sensitive user data by sending requests with multiple different...
CVE-2025-69202 axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header
Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignori...
CVE-2025-69202
The CVE describes a cache poisoning/vulnerability in axios-cache-interceptor prior to v1.11.1: the cache key is generated from the URL only, ignoring request headers like Authorization. When upstream responses include Vary: Authorization, this leads to identical cached responses being served for ...
CVE-2025-69202 axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header
Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignori...
Axios Cache Interceptor 安全漏洞
Axios Cache Interceptor is a cache interceptor by the individual developer Arthur Fiorette. A security vulnerability exists in Axios Cache Interceptor versions prior to 1.11.1, which stems from cache key generation ignoring the authorization header, which could lead to authorization bypass...