Hono Cache Middleware CVE-2026-44457
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 28 npm packages depend on hono (25 direct, 3 indirect)
Ecosystem-wide dependent count for version 4.12.18.
DescriptionGitHub Advisory
Summary
Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users.
Details
The Cache Middleware skips caching when a response carries Vary: *, certain Cache-Control directives (private, no-store, no-cache), or Set-Cookie. However, Vary: Authorization and Vary: Cookie - the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses - are not treated as cache-skip reasons.
This issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on Vary: Authorization or Vary: Cookie to scope the response per user, without also setting Cache-Control: private.
Impact
A user may receive a cached response that was originally generated for a different authenticated user. This may lead to:
- Disclosure of personally identifiable information or other user-specific data present in the response body
- Inconsistent or incorrect behavior in user-specific endpoints
This issue affects applications that use the Cache Middleware on endpoints whose responses vary by Authorization or Cookie and that do not also set Cache-Control: private.
AnalysisAI
Hono's Cache Middleware incorrectly caches responses marked with Vary: Authorization or Vary: Cookie headers, allowing cached responses intended for one authenticated user to be served to subsequent requests from different users. This information disclosure vulnerability affects Hono versions prior to 4.12.18 when the middleware is deployed on endpoints returning user-specific data without also setting Cache-Control: private. No special attack complexity is required - remote unauthenticated attackers can trigger the vulnerability through sequential requests to affected endpoints.
Technical ContextAI
Hono is a Node.js web framework that includes a Cache Middleware component designed to cache HTTP responses. The vulnerability exists in the middleware's logic for determining which responses should be cached. According to RFC 9110 and RFC 9111, the Vary header signals that a response varies based on specific request headers, and when Authorization or Cookie headers are listed, it indicates the response is user-specific and should not be shared across different users. The Cache Middleware currently checks for Vary: * (wildcard), Cache-Control directives (private, no-store, no-cache), and Set-Cookie headers as cache-skip signals, but fails to recognize Vary: Authorization and Vary: Cookie as signals that a response must not be cached. The root cause is an incomplete implementation of HTTP caching semantics (CWE-524: Information Exposure Through Cache), where the middleware does not respect the full set of HTTP standards-defined signals for user-specific content.
RemediationAI
Upgrade Hono to version 4.12.18 or later to receive the vendor-released patch that adds Vary: Authorization and Vary: Cookie to the list of cache-skip signals. For applications unable to immediately upgrade, implement a compensating control by explicitly setting Cache-Control: private on all endpoints returning user-specific data, in addition to setting Vary headers. This ensures responses are cached only by private caches (browsers, clients) and not shared by intermediary caches, though it reduces caching benefits. Alternative mitigation: disable the Cache Middleware on endpoints that return per-user data until the patch is applied. See vendor advisory at https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rm for patch availability confirmation and deployment guidance.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-p77w-8qqv-26rm