Undici’s cache interceptor mistakenly treats responses containing whitespace‑padded Cache‑Control directives such as private=\" authorization\" or no-cache=\"\\tauthorization\" as cacheable. The parser retains the surrounding whitespace, so subsequent comparisons against the literal \"authorization\" header name fail, causing the response to be stored in the shared cache. When the same cache key is later requested by another user, including an unauthenticated caller, that cached response, which may contain the original user’s authenticated data, is served, thereby leaking sensitive information. This vulnerability is classified under CWE‑1286 (Unauthorized Access to Resource) and CWE‑524 (Inadequate Authentication).

The issue affects applications that use the Undici HTTP client library and have explicitly enabled the shared-cache interceptor (interceptors.cache()) while forwarding Authorization headers to upstream services and receiving cacheable responses with non‑canonical qualified private or no‑cache directives. All Undici versions released before v7.28.0 and v8.5.0 are vulnerable.

The CVSS score of 5.9 indicates a moderate severity, while the EPSS score of less than 1% signals a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires the application to use shared caching for authenticated requests and to forward Authorization headers to upstream services; an attacker would need to trigger a cached request that returns sensitive data and then make a subsequent request that hits the same cache key. If these conditions are met, the attacker could read another user’s confidential data, representing a significant confidentiality breach.