GHSA-q7jf-gf43-6x6p: Hono vulnerable to Vary Header Injection leading to potential CORS Bypass

October 24, 2025

A flaw in the CORS middleware allowed request Vary headers to be reflected into the response, enabling attacker-controlled Vary values and potentially affecting cache behavior.

References

github.com/advisories/GHSA-q7jf-gf43-6x6p
github.com/honojs/hono
github.com/honojs/hono/commit/d9b8b4b73b4f997994f2764013207365fe711282
github.com/honojs/hono/security/advisories/GHSA-q7jf-gf43-6x6p

Code Behaviors & Features

Detect and mitigate GHSA-q7jf-gf43-6x6p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →