CVE-2025-71381

Source
https://cve.org/CVERecord?id=CVE-2025-71381
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71381.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-71381
Aliases
Published
2026-06-30T22:08:21.523Z
Modified
2026-07-15T01:48:59.644877191Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Hono - Vary Header Injection in CORS Middleware
Details

Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary Vary values that are reflected into the response, potentially causing cache key pollution and inconsistent CORS enforcement in environments that rely on shared caches or proxies.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71381.json",
    "cwe_ids": [
        "CWE-113"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/honojs/hono

Affected ranges

Type
GIT
Repo
https://github.com/honojs/hono
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.10.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.10
v0.0.11
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.2
v0.0.4
v0.0.5
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.10
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.0-0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5-0
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.5.0
v2.5.1
v2.5.10
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v3.*
v3.0.0
v3.0.0-rc.10
v3.0.0-rc.13
v3.0.0-rc.14
v3.0.0-rc.15
v3.0.0-rc.16
v3.0.0-rc.4
v3.0.0-rc.5
v3.0.0-rc.9
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.10.0
v3.10.1
v3.10.2
v3.10.3
v3.10.4
v3.10.5
v3.11.0
v3.11.1
v3.11.10
v3.11.11
v3.11.12
v3.11.2
v3.11.3
v3.11.4
v3.11.5
v3.11.6
v3.11.7
v3.11.8
v3.11.9
v3.12.0
v3.12.1
v3.12.10
v3.12.11
v3.12.12
v3.12.2
v3.12.3
v3.12.4
v3.12.5
v3.12.6
v3.12.7
v3.12.8
v3.12.9
v3.2.0
v3.2.0-rc.1
v3.2.0-rc.3
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.3.0
v3.3.0-rc.1
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.5.0
v3.5.1
v3.5.2
v3.5.3
v3.5.4
v3.5.5
v3.5.6
v3.5.7
v3.5.8
v3.6.0
v3.6.0-rc.1
v3.6.0-rc.2
v3.6.1
v3.6.2
v3.6.3
v3.7.0
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.7.5
v3.7.6
v3.8.0
v3.8.0-rc.1
v3.8.0-rc.2
v3.8.0-rc.3
v3.8.1
v3.8.2
v3.8.3
v3.8.4
v3.9.0
v3.9.0-rc.1
v3.9.1
v3.9.2
v4.*
v4.0.0
v4.0.0-rc.0
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.3
v4.0.1
v4.0.10
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.0-rc.1
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.10.0
v4.10.1
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.3.0
v4.3.1
v4.3.10
v4.3.11
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8
v4.3.9
v4.4.0
v4.4.1
v4.4.10
v4.4.11
v4.4.12
v4.4.13
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v4.5.0
v4.5.0-rc.1
v4.5.0-rc.2
v4.5.1
v4.5.10
v4.5.11
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.5.6
v4.5.7
v4.5.8
v4.5.9
v4.6.0
v4.6.1
v4.6.10
v4.6.11
v4.6.12
v4.6.13
v4.6.14
v4.6.15
v4.6.16
v4.6.17
v4.6.18
v4.6.19
v4.6.2
v4.6.20
v4.6.3
v4.6.4
v4.6.5
v4.6.6
v4.6.7
v4.6.8
v4.6.9
v4.7.0
v4.7.1
v4.7.10
v4.7.11
v4.7.2
v4.7.3
v4.7.4
v4.7.5
v4.7.6
v4.7.7
v4.7.8
v4.7.9
v4.8.0
v4.8.1
v4.8.10
v4.8.11
v4.8.12
v4.8.2
v4.8.3
v4.8.4
v4.8.5
v4.8.6
v4.8.7
v4.8.8
v4.8.9
v4.9.0
v4.9.1
v4.9.10
v4.9.11
v4.9.12
v4.9.2
v4.9.3
v4.9.4
v4.9.5
v4.9.6
v4.9.7
v4.9.8
v4.9.9
vv3.*
vv3.5.0-rc.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71381.json"