undici cache interceptor misclassifies whitespace-padded private/no-cache responses as cacheable

Undici's cache interceptor incorrectly classifies responses as cacheable when Cache-Control uses whitespace-padded qualified private or no-cache field names, potentially leaking authenticated data in shared-cache mode.

Applications that explicitly enable the cache interceptor in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.

Upgrade to undici v7.28.0 or v8.5.0, or disable shared-cache mode for traffic with Authorization headers, avoid caching authenticated responses, or add Vary: Authorization upstream.