CVE Catalog

CVE-2025-71381

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

A vulnerability in Hono before version 4.10.2 (fixed in 4.10.3) in the CORS middleware causes the Vary header from the incoming request to be copied into the response when the origin is not set to "*". An attacker can supply arbitrary Vary values that are reflected in the response, leading to cache key pollution and inconsistent CORS enforcement in environments relying on shared caches or proxies.

Risk Assessment

The organization is at risk of cache poisoning attacks, potentially leading to data leakage or unauthorized access due to inconsistent CORS enforcement.

Recommendation

Immediately upgrade Hono to version 4.10.3 or later, which includes a fix that prevents reflecting the Vary header.

Original NVD description (English source)

Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary Vary values that are reflected into the response, potentially causing cache key pollution and inconsistent CORS enforcement in environments that rely on shared caches or proxies.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS