Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, no privileges or interaction needed; low C and I because impact is limited to cache pollution and partial CORS bypass.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 11 npm packages depend on hono (9 direct, 2 indirect)
Ecosystem-wide dependent count for version 4.10.3.
DescriptionCVE.org
Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary Vary values that are reflected into the response, potentially causing cache key pollution and inconsistent CORS enforcement in environments that rely on shared caches or proxies.
AnalysisAI
Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. When the CORS origin option is configured to anything other than wildcard *, the middleware incorrectly promotes client-supplied Vary header values from the incoming request directly into the HTTP response - a behavior violating the HTTP specification, which reserves Vary as a server-managed response header. In environments using shared caches, CDNs, or reverse proxies, an attacker can craft requests with arbitrary Vary values to poison cache entries, potentially causing incorrect CORS policies to be enforced for legitimate downstream users. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Technical ContextAI
Hono (CPE: cpe:2.3:a:hono:hono:*:*:*:*:*:*:*:*) is a lightweight, edge-first TypeScript web framework popular on Cloudflare Workers, Deno, Bun, and Node.js runtimes. The vulnerability falls under CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers), which encompasses the broader class of HTTP header injection flaws where attacker-controlled data is inserted into response headers without sanitization or semantic validation. In this case, the Hono CORS middleware fails to distinguish between request headers (attacker-controlled) and response headers (server-managed). The Vary response header instructs caches which request headers should be used to differentiate cached responses; polluting it with arbitrary attacker-supplied values manipulates cache keying logic in shared reverse proxies or CDNs. The flaw was introduced in the non-wildcard code path and was fixed in Hono 4.10.3 per the GitHub security advisory GHSA-q7jf-gf43-6x6p.
RemediationAI
Upgrade Hono to version 4.10.3 or later, which resolves the header injection in the CORS middleware - this is the definitive fix per the GitHub security advisory GHSA-q7jf-gf43-6x6p. For environments where immediate upgrade is not feasible, a targeted workaround is to explicitly strip or normalize the Vary header in a custom middleware placed after the CORS middleware, ensuring client-supplied values are never reflected. Alternatively, if the application's CORS policy permits, temporarily setting origin: '*' bypasses the vulnerable code path but may broaden cross-origin access beyond intended policy - assess the security trade-off against the deployment's trust model. For applications deployed behind CDNs or caching proxies, consider configuring the cache layer to ignore or normalize the Vary header for CORS-related responses as a compensating control; note that this may have side effects on legitimate content negotiation. The VulnCheck advisory at https://www.vulncheck.com/advisories/hono-vary-header-injection-in-cors-middleware may contain additional remediation context.
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),
Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita
Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]
Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS
Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro
Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all
Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per
Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional SSE fields within t
Same weakness CWE-113 – HTTP Response Splitting
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210393
GHSA-cw3j-28qq-x3xh