GHSA-88fw-hqm2-52qc

Suggest an improvement
Source
https://github.com/advisories/GHSA-88fw-hqm2-52qc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-88fw-hqm2-52qc/GHSA-88fw-hqm2-52qc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-88fw-hqm2-52qc
Aliases
  • CVE-2026-54290
Downstream
Related
Published
2026-06-16T14:15:39Z
Modified
2026-06-17T17:59:20.942773321Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
Summary
hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard
Details

Summary

With credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins.

Details

The spec forbids Access-Control-Allow-Origin: * with credentials and browsers reject it, so this configuration used to fail closed. In affected versions the middleware reflects the request Origin instead, so it now succeeds for every origin, including null. The preflight also echoes the requested headers back, approving non-simple credentialed requests too.

This issue arises when an application enables credentials: true and leaves origin unset or set to the wildcard.

Impact

Any third-party page a logged-in user visits can read the application's cookie-authenticated endpoints and perform credentialed state-changing requests. This affects applications that enable credentialed CORS without restricting origin.

Database specific
{
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-942"
    ],
    "github_reviewed_at": "2026-06-16T14:15:39Z",
    "github_reviewed": true
}
References

Affected packages

npm / hono

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.12.25

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-88fw-hqm2-52qc/GHSA-88fw-hqm2-52qc.json"