Skip to main content

Hono CVE-2025-71381

| EUVDEUVD-2025-210393 MEDIUM
HTTP Response Splitting (CWE-113)
2026-06-30 VulnCheck GHSA-cw3j-28qq-x3xh
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable, no privileges or interaction needed; low C and I because impact is limited to cache pollution and partial CORS bypass.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 02:16 EUVD
Analysis Generated
Jun 30, 2026 - 23:41 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 11 npm packages depend on hono (9 direct, 2 indirect)

Ecosystem-wide dependent count for version 4.10.3.

DescriptionCVE.org

Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary Vary values that are reflected into the response, potentially causing cache key pollution and inconsistent CORS enforcement in environments that rely on shared caches or proxies.

AnalysisAI

Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. When the CORS origin option is configured to anything other than wildcard *, the middleware incorrectly promotes client-supplied Vary header values from the incoming request directly into the HTTP response - a behavior violating the HTTP specification, which reserves Vary as a server-managed response header. In environments using shared caches, CDNs, or reverse proxies, an attacker can craft requests with arbitrary Vary values to poison cache entries, potentially causing incorrect CORS policies to be enforced for legitimate downstream users. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

Hono (CPE: cpe:2.3:a:hono:hono:*:*:*:*:*:*:*:*) is a lightweight, edge-first TypeScript web framework popular on Cloudflare Workers, Deno, Bun, and Node.js runtimes. The vulnerability falls under CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers), which encompasses the broader class of HTTP header injection flaws where attacker-controlled data is inserted into response headers without sanitization or semantic validation. In this case, the Hono CORS middleware fails to distinguish between request headers (attacker-controlled) and response headers (server-managed). The Vary response header instructs caches which request headers should be used to differentiate cached responses; polluting it with arbitrary attacker-supplied values manipulates cache keying logic in shared reverse proxies or CDNs. The flaw was introduced in the non-wildcard code path and was fixed in Hono 4.10.3 per the GitHub security advisory GHSA-q7jf-gf43-6x6p.

RemediationAI

Upgrade Hono to version 4.10.3 or later, which resolves the header injection in the CORS middleware - this is the definitive fix per the GitHub security advisory GHSA-q7jf-gf43-6x6p. For environments where immediate upgrade is not feasible, a targeted workaround is to explicitly strip or normalize the Vary header in a custom middleware placed after the CORS middleware, ensuring client-supplied values are never reflected. Alternatively, if the application's CORS policy permits, temporarily setting origin: '*' bypasses the vulnerable code path but may broaden cross-origin access beyond intended policy - assess the security trade-off against the deployment's trust model. For applications deployed behind CDNs or caching proxies, consider configuring the cache layer to ignore or normalize the Vary header for CORS-related responses as a compensating control; note that this may have side effects on legitimate content negotiation. The VulnCheck advisory at https://www.vulncheck.com/advisories/hono-vary-header-injection-in-cors-middleware may contain additional remediation context.

More in Hono

View all
CVE-2024-48913 MEDIUM POC
5.9 Oct 15

Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by

CVE-2024-32869 MEDIUM POC
5.3 Apr 23

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),

CVE-2024-43787 MEDIUM POC
5.0 Aug 22

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),

CVE-2023-50710 MEDIUM POC
4.3 Dec 14

Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita

CVE-2026-27700 HIGH
8.2 Feb 25

Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]

CVE-2026-22818 HIGH
8.2 Jan 13

Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS

CVE-2026-22817 HIGH
8.2 Jan 13

Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that

CVE-2026-29045 HIGH
7.5 Mar 04

Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew

CVE-2020-27217 HIGH
7.5 Nov 13

In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro

CVE-2026-56762 MEDIUM
6.9 Jun 23

Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all

CVE-2026-59896 MEDIUM
6.5 Jul 08

Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per

CVE-2026-29085 MEDIUM
6.5 Mar 04

Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional SSE fields within t

Share

CVE-2025-71381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy