Axios Cache Interceptor Authorization Bypass Vulnerability Due to Ignored Vary Header

A cache poisoning vulnerability has been identified in Axios Cache Interceptor versions prior to 1.11.1. This issue arises when a server calls an upstream service using different authentication tokens. The interceptor returns incorrect cached responses, leading to an authorization bypass. The vulnerability occurs because the cache key is generated solely from the URL, disregarding request headers like 'Authorization'. When the server responds with 'Vary: Authorization', indicating that the response varies by authentication token, the interceptor fails to account for this. As a result, all requests share the same cache, regardless of authorization. This vulnerability affects server-side applications that use Axios Cache Interceptor to cache requests to upstream services, handle requests from multiple users with different authentication tokens, and rely on 'Vary' headers to differentiate caches. In contrast, browser-based applications, which operate with a single user per session, are not impacted.

Impact

Exploitation of this vulnerability allows for authorization bypass, causing incorrect cached data to be served based on the wrong authentication token. This not only bypasses authorization checks but also leaks user data across different authenticated sessions.

Reproduction

To reproduce this vulnerability, set up a server that responds differently based on the 'Authorization' header, and includes a 'Vary: Authorization' response header. Then, use Axios Cache Interceptor to make requests to this server with varying 'Authorization' tokens. The interceptor will incorrectly cache the responses, leading to a situation where one user receives another user's data, based on cached responses that do not account for the different authentication tokens.

Remediation

Upgrade to Axios Cache Interceptor version 1.11.1 or later. No code changes are required, as the protection is automatic.