GHSA-q7jf-gf43-6x6p: 
JavaScript vulnerability analysis and mitigation

A vulnerability (GHSA-q7jf-gf43-6x6p) was discovered in Hono's CORS middleware affecting versions prior to 4.10.3. The flaw allowed request Vary headers to be reflected into the response, enabling attacker-controlled Vary values and potentially affecting cache behavior. The vulnerability was published and reviewed on October 24, 2025, with a CVSS score of 6.5 (Moderate severity) (GitHub Advisory).

The vulnerability exists in the CORS middleware where it incorrectly copied the Vary header from the request when the origin was not set to '*'. This behavior violated the principle that Vary is a response header that should only be managed by the server. The issue is tracked as CWE-444 (Inconsistent Interpretation of HTTP Requests). The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability may cause cache key pollution and inconsistent CORS enforcement in certain setups, particularly in environments where shared caches or proxies rely on the Vary header. However, there is no direct confidentiality, integrity, or availability impact in default configurations. The practical effect varies by configuration (GitHub Advisory).

The vulnerability has been patched in version 4.10.3. Users should update to this version or later. The CORS middleware has been corrected to handle Vary exclusively as a response header, preventing the reflection of request Vary headers (GitHub Advisory, Hono Commit).