CVE-2025-71381 Overview
CVE-2025-71381 affects the Hono web framework prior to version 4.10.2, with a fix released in 4.10.3. The vulnerability resides in the Cross-Origin Resource Sharing (CORS) middleware. When the allowed origin is not configured as *, the middleware copies the Vary header value from the incoming request directly into the outgoing response. An attacker can submit arbitrary Vary values that get reflected in the response, leading to cache key pollution and inconsistent CORS enforcement in environments using shared caches or proxies. The issue is classified under [CWE-113] (Improper Neutralization of CRLF Sequences in HTTP Headers / HTTP Response Splitting).
Critical Impact
Attackers can pollute shared cache keys and bypass CORS enforcement by injecting arbitrary Vary header values through the reflected response.
Affected Products
- Hono framework versions prior to 4.10.2
- Applications using Hono CORS middleware with a specific (non-wildcard) origin
- Deployments behind shared HTTP caches or reverse proxies
Discovery Timeline
- 2026-06-30 - CVE-2025-71381 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2025-71381
Vulnerability Analysis
Hono is a lightweight web framework used across edge runtimes and Node.js environments. Its CORS middleware handles preflight and simple requests by setting response headers such as Access-Control-Allow-Origin and Vary. When the configured origin is not *, the middleware appends or copies the Vary header from the request into the response. The Vary header is a response-side directive that instructs caches how to key stored responses. Trusting client input for this value breaks that trust boundary. Downstream caches and reverse proxies then use attacker-controlled values to compute cache keys, which corrupts cache behavior and undermines origin-based access decisions.
Root Cause
The root cause is improper handling of request-supplied header values in response construction. The CORS middleware treats the incoming Vary header as if it were server-managed metadata and reflects it back without validation or sanitization. This violates the principle that response headers governing cache semantics must originate from the server.
Attack Vector
An unauthenticated remote attacker sends an HTTP request to a Hono endpoint protected by the vulnerable CORS middleware and includes a crafted Vary header. The server returns a response containing the attacker-controlled Vary value. Shared caches key the response according to that value, poisoning subsequent responses served to other users. In deployments where CORS enforcement depends on consistent cache behavior, this leads to inconsistent policy application and possible cross-origin data leakage. Exploitation requires no privileges, no user interaction, and can be performed over the network. Refer to the GitHub Security Advisory GHSA-q7jf-gf43-6x6p and the VulnCheck Security Advisory for further technical detail.
No verified proof-of-concept code is publicly indexed. The vulnerability mechanism can be reproduced by issuing a request with a custom Vary header to a Hono endpoint using cors() with an explicit origin, then inspecting the response headers.
Detection Methods for CVE-2025-71381
Indicators of Compromise
- Response Vary headers containing unexpected token values that match attacker-controlled request headers.
- Cache logs showing an unusually high number of distinct cache keys for the same endpoint.
- CORS responses where Vary values differ across otherwise identical requests.
Detection Strategies
- Inspect HTTP traffic for requests carrying non-standard Vary header values targeting endpoints served by Hono.
- Compare request Vary headers to response Vary headers and alert when reflection occurs.
- Audit application dependency manifests for Hono versions below 4.10.3 across build pipelines and runtime environments.
Monitoring Recommendations
- Log full request and response header pairs at the ingress proxy for CORS-enabled routes.
- Monitor cache hit and miss ratios for anomalies that indicate key fragmentation.
- Track outbound Vary header entropy over time to identify sudden diversity that suggests injection attempts.
How to Mitigate CVE-2025-71381
Immediate Actions Required
- Upgrade Hono to version 4.10.3 or later across all applications and edge deployments.
- Audit CORS middleware configurations and inventory every service exposing routes with a non-wildcard origin.
- Purge shared caches and CDN edge caches to clear any polluted entries created before the upgrade.
Patch Information
The maintainers fixed the issue in Hono 4.10.3. The patch stops the CORS middleware from copying the request Vary header into the response and instead manages the Vary value on the server side. Details are available in the GitHub Security Advisory GHSA-q7jf-gf43-6x6p.
Workarounds
- Place a reverse proxy in front of the Hono application that strips or overwrites the response Vary header with a fixed value.
- Disable shared caching for CORS-protected routes until the upgrade is applied.
- Restrict CORS to * where the application security model permits, since the flaw only triggers with non-wildcard origins.
# Update Hono to the patched version
npm install hono@^4.10.3
# Verify installed version
npm ls hono
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

