Back to overview

CVE-2025-71381

MEDIUM
6.5
CVSS 3.1
Description
Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary Vary values that are reflected into the response, potentially causing cache key pollution and inconsistent CORS enforcement in environments that rely on shared caches or proxies.

Metadata

CVE ID
CVE-2025-71381
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-20 13:11 UTC
Published
2026-06-30 22:08 UTC
Last updated
2026-07-01 13:19 UTC
Primary CWE
CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('…
Vendor / Product
Hono / Hono
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Hono Hono 0 < 4.10.2, 4.10.2
Weakness (CWE)
CWESourceDescription
CWE-113 cna Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References (2)
Back to overview