GHSA-q7jf-gf43-6x6p: 
JavaScript vulnerability analysis and mitigation

A vulnerability was discovered in Hono's CORS middleware (GHSA-q7jf-gf43-6x6p) affecting versions < 4.10.3, disclosed on October 24, 2025. The flaw allowed request Vary headers to be reflected into the response when the origin was not set to '*', enabling attacker-controlled Vary values and potentially affecting cache behavior (GitHub Advisory).

The vulnerability has been assigned a CVSS score of 6.5 (Moderate) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests) and primarily affects the CORS middleware functionality (GitHub Advisory).

The vulnerability may cause cache key pollution and inconsistent CORS enforcement in certain setups. While there is no direct confidentiality, integrity, or availability impact in default configurations, environments using shared caches or proxies that rely on the Vary header could be affected. The practical effect varies by configuration (GitHub Advisory).

The vulnerability has been patched in version 4.10.3. Users are advised to update to this latest patched release. The CORS middleware has been corrected to handle Vary exclusively as a response header, preventing the reflection of request headers (GitHub Advisory).