Skip to main content

Hono Cache Middleware CVE-2026-44457

MEDIUM
Use of Cache Containing Sensitive Information (CWE-524)
2026-05-09 https://github.com/honojs/hono GHSA-p77w-8qqv-26rm
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 09, 2026 - 01:16 vuln.today
Analysis Generated
May 09, 2026 - 01:16 vuln.today
CVE Published
May 09, 2026 - 00:28 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 28 npm packages depend on hono (25 direct, 3 indirect)

Ecosystem-wide dependent count for version 4.12.18.

DescriptionGitHub Advisory

Summary

Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users.

Details

The Cache Middleware skips caching when a response carries Vary: *, certain Cache-Control directives (private, no-store, no-cache), or Set-Cookie. However, Vary: Authorization and Vary: Cookie - the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses - are not treated as cache-skip reasons.

This issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on Vary: Authorization or Vary: Cookie to scope the response per user, without also setting Cache-Control: private.

Impact

A user may receive a cached response that was originally generated for a different authenticated user. This may lead to:

  • Disclosure of personally identifiable information or other user-specific data present in the response body
  • Inconsistent or incorrect behavior in user-specific endpoints

This issue affects applications that use the Cache Middleware on endpoints whose responses vary by Authorization or Cookie and that do not also set Cache-Control: private.

AnalysisAI

Hono's Cache Middleware incorrectly caches responses marked with Vary: Authorization or Vary: Cookie headers, allowing cached responses intended for one authenticated user to be served to subsequent requests from different users. This information disclosure vulnerability affects Hono versions prior to 4.12.18 when the middleware is deployed on endpoints returning user-specific data without also setting Cache-Control: private. No special attack complexity is required - remote unauthenticated attackers can trigger the vulnerability through sequential requests to affected endpoints.

Technical ContextAI

Hono is a Node.js web framework that includes a Cache Middleware component designed to cache HTTP responses. The vulnerability exists in the middleware's logic for determining which responses should be cached. According to RFC 9110 and RFC 9111, the Vary header signals that a response varies based on specific request headers, and when Authorization or Cookie headers are listed, it indicates the response is user-specific and should not be shared across different users. The Cache Middleware currently checks for Vary: * (wildcard), Cache-Control directives (private, no-store, no-cache), and Set-Cookie headers as cache-skip signals, but fails to recognize Vary: Authorization and Vary: Cookie as signals that a response must not be cached. The root cause is an incomplete implementation of HTTP caching semantics (CWE-524: Information Exposure Through Cache), where the middleware does not respect the full set of HTTP standards-defined signals for user-specific content.

RemediationAI

Upgrade Hono to version 4.12.18 or later to receive the vendor-released patch that adds Vary: Authorization and Vary: Cookie to the list of cache-skip signals. For applications unable to immediately upgrade, implement a compensating control by explicitly setting Cache-Control: private on all endpoints returning user-specific data, in addition to setting Vary headers. This ensures responses are cached only by private caches (browsers, clients) and not shared by intermediary caches, though it reduces caching benefits. Alternative mitigation: disable the Cache Middleware on endpoints that return per-user data until the patch is applied. See vendor advisory at https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rm for patch availability confirmation and deployment guidance.

Share

CVE-2026-44457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy