⚙️ Traces from the dawn of innovation
Bunny.net CDN Flaw Could Cache Private API Data for the Wrong Users
- What: A publicly described Bunny.net CDN caching flaw in June 2023 could serve authenticated API responses without properly checking the Authorization header, risking exposure of private data.
- Where: Bunny.net’s CDN cache in front of authenticated API endpoints.
- When: June 2023.
In June 2023, a publicly described flaw in Bunny.net’s CDN raised a basic but serious problem: authenticated API responses could be cached and then served without properly respecting who was authorized to see them.
The issue centered on the Authorization header, which APIs commonly use to distinguish one signed-in user from another. If a CDN ignores that header when deciding what to cache, a private response can stop being private. One user’s data may be stored at the edge and later delivered to someone else requesting the same endpoint.
How CDN Caching Broke API Privacy
That kind of failure is easy to miss because nothing about it looks dramatic at first. The app still works. The API still answers. The CDN still does what CDNs are supposed to do and speeds things up. The problem is that performance infrastructure can quietly become part of the access-control path, and if it treats authenticated traffic like generic public content, sensitive data can leak through ordinary requests.
What made this case notable was not just the bug itself, but how routine the setup could appear. Developers often place APIs behind CDNs for speed and availability. If caching rules are too broad, or if critical request headers are not taken into account, the result is not a classic break-in. It is a system handing out stored responses to the wrong audience.
Bunny.net Cache Exposure Risk
For companies relying on Bunny.net at the time, the risk was straightforward: private account data, internal API output, or other authenticated responses could potentially be exposed through the cache. That turns a configuration or platform-level oversight into a user-facing privacy problem very quickly.
The wider lesson is concrete. A CDN is not just a delivery layer when it sits in front of authenticated endpoints; it is helping decide what can be reused and for whom. If that boundary is handled incorrectly, private API data can become publicly retrievable without any attacker needing special access. In practice, that makes cache behavior as important to security as the application code behind it.
Did You Know?
HTTP caching behavior is often controlled by response headers such as Cache-Control and Vary, which tell intermediaries whether content can be reused and which request headers must be considered.