Lucene search
K

21 matches found

RedHat Linux
RedHat Linux
added 2 days ago5 views

undici: Undici: Information disclosure due to improper cache-control header parsing

A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from...

5.9CVSS7AI score0.00374EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/06/20 12:0 a.m.8 views

Linux Distros Unpatched Vulnerability : CVE-2026-9678

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified...

5.9CVSS7.1AI score0.00374EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/06/19 1:57 a.m.11 views

SUSE CVE-2026-9678

Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...

5.9CVSS5.3AI score0.00374EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/18 2:28 p.m.12 views

EUVD-2026-37766

undici vulnerable to cross-user information disclosure via shared cache whitespace bypass...

5.9CVSS7AI score0.00374EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/17 6:21 p.m.10 views

Use of Cache Containing Sensitive Information

Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the cache interceptor. An attacker can obtain another user's authenticated response data by exploiting whitespace-padded...

8.9CVSS7.1AI score0.00374EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 6:21 p.m.7 views

Use of Cache Containing Sensitive Information

Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the cache interceptor. An attacker can obtain another user's authenticated response data by exploiting...

8.9CVSS7.1AI score0.00374EPSS
Exploits0References2
NVD
NVD
added 2026/06/17 6:18 p.m.13 views

CVE-2026-9678

Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...

5.9CVSS0.00374EPSS
Exploits0References2
OSV
OSV
added 2026/06/17 6:18 p.m.3 views

UBUNTU-CVE-2026-9678

Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...

5.9CVSS7AI score0.00374EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/06/17 5:4 p.m.7 views

CVE-2026-9678

Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...

5.9CVSS5.3AI score0.00374EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.13 views

PT-2026-50515

Name of the Vulnerable Software and Affected Versions undici versions prior to 7.28.0 undici versions prior to 8.5.0 Description The cache interceptor incorrectly classifies certain responses as cacheable when the upstream Cache-Control header contains whitespace-padded qualified private or...

5.9CVSS7AI score0.00374EPSS
Exploits0References96
Veracode
Veracode
added 2026/01/13 7:56 a.m.8 views

Authorization Bypass

Axios Cache Interceptor is vulnerable to an Authorization Bypass. The vulnerability is due to improper cache key generation, where cached responses are keyed only by URL and ignore the Authorization header and Vary: Authorization, causing responses generated for one user’s auth token to be reused...

6.5CVSS7AI score0.00272EPSS
Exploits1References2Affected Software1
vulnersOsv
vulnersOsv
added 2025/12/30 3:37 p.m.7 views

@0xecho/button (>=0.0.1 <=0.0.17), @anguyenguy/frontend-platform (>=1.0.1 <=1.0.2) +68 more potentially affected by CVE-2025-69202 via axios-cache-interceptor (>=0.10.7 <=1.0.0)

axios-cache-interceptor NPM version =0.10.7, =0.0.1, =1.0.1, =0.4.0, =0.0.1, =5.0.2-alpha.1-nelp.1, =0.1.0-testing, =3.3.0-alpha.1, =1.1.0, =1.0.0, =1.0.0-semantically-released, =11.7.0, =4.8.1, =5.5.0 and more Source cves: CVE-2025-69202 Source advisory: OSV:GHSA-X4M5-4CW8-VC44...

6.5CVSS5.8AI score0.00272EPSS
Exploits1
OSV
OSV
added 2025/12/30 3:37 p.m.9 views

GHSA-X4M5-4CW8-VC44 axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header

Summary When a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. Details The cache key is generated only from the URL, ignoring request headers like Authorization. When the server responds wit...

6CVSS6.9AI score0.00272EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2025/12/30 3:37 p.m.11 views

axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header

Summary When a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. Details The cache key is generated only from the URL, ignoring request headers like Authorization. When the server responds wit...

6.5CVSS7AI score0.00272EPSS
Exploits1References4Affected Software1
vulnersOsv
vulnersOsv
added 2025/12/29 7:43 p.m.6 views

@tutkli/jikan-ts (>=0.6.1 <=0.6.3) potentially affected by CVE-2025-69202 via axios-cache-interceptor (=1.0.0)

axios-cache-interceptor NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on axios-cache-interceptor and may be impacted: - @tutkli/jikan-ts =0.6.1, =0.6.3 Source cves: CVE-2025-69202 Source advisory: SNYK:JS-AXIOSCACHEINTERCEPTOR-1472426...

6.5CVSS5.8AI score0.00272EPSS
Exploits1
Snyk
Snyk
added 2025/12/29 7:43 p.m.5 views

Cache Poisoning

Overview axios-cache-interceptor is a Cache interceptor for axios Affected versions of this package are vulnerable to Cache Poisoning by ignoring the Vary HTTP header. An attacker can access unauthorized cached responses to obtain sensitive user data by sending requests with multiple different...

7.1CVSS6.6AI score0.00272EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2025/12/29 7:13 p.m.1 views

CVE-2025-69202 axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header

Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignori...

6CVSS6.3AI score0.00272EPSS
Exploits1References2
OSV
OSV
added 2025/12/29 7:13 p.m.6 views

CVE-2025-69202 axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header

Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignori...

6CVSS6.6AI score0.00272EPSS
Exploits1References4
CVE
CVE
added 2025/12/29 7:13 p.m.13 views

CVE-2025-69202

The CVE describes a cache poisoning/vulnerability in axios-cache-interceptor prior to v1.11.1: the cache key is generated from the URL only, ignoring request headers like Authorization. When upstream responses include Vary: Authorization, this leads to identical cached responses being served for ...

6.5CVSS6.3AI score0.00272EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2025/12/29 12:0 a.m.10 views

PT-2025-53783

Name of the Vulnerable Software and Affected Versions Axios Cache Interceptor versions prior to 1.11.1 Description Axios Cache Interceptor, a cache interceptor for axios, improperly handles responses with the Vary: Authorization header. Prior to version 1.11.1, the cache key was generated solely...

6.5CVSS6.6AI score0.00272EPSS
Exploits1References7
Rows per page
Query Builder