6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-q7jf-gf43-6x6p

EPSS Score

CWE

CWE-444

Published

10/24/2025

Updated

10/24/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-q7jf-gf43-6x6p

GHSA-q7jf-gf43-6x6p: Hono vulnerable to Vary Header Injection leading to potential CORS Bypass

Summary

A flaw in the CORS middleware allowed request Vary headers to be reflected into the response, enabling attacker-controlled Vary values and potentially affecting cache behavior.

Details

The middleware previously copied the Vary header from the request when origin was not set to "*". Since Vary is a response header that should only be managed by the server, this could allow an attacker to influence caching behavior or cause inconsistent CORS handling.

Most environments will see impact only when shared caches or proxies rely on the Vary header. The practical effect varies by configuration.

Impact

May cause cache key pollution and inconsistent CORS enforcement in certain setups. No direct confidentiality, integrity, or availability impact in default configurations.

Resolution

Update to the latest patched release. The CORS middleware has been corrected to handle Vary exclusively as a response header.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-q7jf-gf43-6x6p

EPSS Score

CWE

CWE-444

Published

10/24/2025

Updated

10/24/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hono	npm	< 4.10.3	4.10.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies within the cors middleware of the Hono framework. The provided patch d9b8b4b73b4f997994f2764013207365fe711282 clearly shows the removal of code that was responsible for this behavior. Specifically, the lines that read the Vary header from the request (c.req.header('Vary')) and then set it on the response have been removed. The fix involves correctly setting the Vary header to Origin on the response, and appending it if the header already exists, which is the correct behavior for a CORS middleware. The vulnerable function is therefore the main cors function itself, as it contained the flawed logic.

Vulnerable functions

cors

src/middleware/cors/index.ts

The `cors` middleware function was vulnerable because it would reflect the `Vary` header from the incoming request to the response headers. An attacker could send a request with a crafted `Vary` header, which would then be present in the response. This could lead to cache poisoning or other cache-related issues, as well as potential CORS bypasses depending on the caching infrastructure.

WAF Protection Rules

WAF Rule

### Summ*ry * *l*w in t** *ORS mi**l*w*r* *llow** r*qu*st `V*ry` *****rs to ** r**l**t** into t** r*spons*, *n**lin* *tt**k*r-*ontroll** `V*ry` v*lu*s *n* pot*nti*lly *****tin* ***** ****vior. ### **t*ils T** mi**l*w*r* pr*viously *opi** t** `V*

Reasoning

T** vuln*r**ility li*s wit*in t** `*ors` mi**l*w*r* o* t** *ono *r*m*work. T** provi*** p*t** `****************************************` *l**rly s*ows t** r*mov*l o* *o** t**t w*s r*sponsi*l* *or t*is ****vior. Sp**i*i**lly, t** lin*s t**t r*** t** `

6.5

Basic Information

Concerned about an active attack path?

GHSA-q7jf-gf43-6x6p: Hono vulnerable to Vary Header Injection leading to potential CORS Bypass

Summary

Details

Impact

Resolution

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI