CVE-2025-71381
Received Received - Intake

Hono CORS Middleware Vary Header Reflection Vulnerability

Vulnerability report for CVE-2025-71381, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description

Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary Vary values that are reflected into the response, potentially causing cache key pollution and inconsistent CORS enforcement in environments that rely on shared caches or proxies.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade Hono to version 4.10.3 or later, where the flaw in the CORS middleware has been fixed.

Executive Summary

This vulnerability exists in Hono versions before 4.10.2 and is fixed in 4.10.3. It is related to the CORS middleware, which incorrectly handles the Vary header. When the origin is not set to "*", the middleware copies the Vary header from the incoming request into the response. Since the Vary header is a response header that should be controlled by the server, an attacker can supply arbitrary Vary values that get reflected in the response.

This flaw can lead to cache key pollution and inconsistent enforcement of CORS policies, especially in environments that use shared caches or proxies.

Impact Analysis

The vulnerability can cause cache key pollution, meaning that attackers can manipulate cache behavior by injecting arbitrary Vary header values. This can result in inconsistent CORS enforcement, potentially allowing unauthorized cross-origin requests to succeed or legitimate requests to be blocked incorrectly.

In environments relying on shared caches or proxies, this inconsistency can lead to security risks such as data leakage or unauthorized access due to improper CORS policy enforcement.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71381. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart