CVE-2025-71381
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
A vulnerability in Hono before version 4.10.2 (fixed in 4.10.3) in the CORS middleware causes the Vary header from the incoming request to be copied into the response when the origin is not set to "*". An attacker can supply arbitrary Vary values that are reflected in the response, leading to cache key pollution and inconsistent CORS enforcement in environments relying on shared caches or proxies.
Risk Assessment
The organization is at risk of cache poisoning attacks, potentially leading to data leakage or unauthorized access due to inconsistent CORS enforcement.
Recommendation
Immediately upgrade Hono to version 4.10.3 or later, which includes a fix that prevents reflecting the Vary header.
Original NVD description (English source)
Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary Vary values that are reflected into the response, potentially causing cache key pollution and inconsistent CORS enforcement in environments that rely on shared caches or proxies.

