Merge pull request #6462 from github/gigatechcode-GHSA-q7jf-gf43-6x6p

Author: advisory-database[bot]

advisories/github-reviewed/2025/10/GHSA-q7jf-gf43-6x6p/GHSA-q7jf-gf43-6x6p.json

@@ -1,15 +1,15 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q7jf-gf43-6x6p",
-  "modified": "2025-10-24T19:15:13Z",
+  "modified": "2025-10-24T19:15:15Z",
   "published": "2025-10-24T19:15:13Z",
   "aliases": [],
   "summary": "Hono vulnerable to Vary Header Injection leading to potential CORS Bypass",
   "details": "### Summary  \nA flaw in the CORS middleware allowed request `Vary` headers to be reflected into the response, enabling attacker-controlled `Vary` values and potentially affecting cache behavior.\n\n### Details  \nThe middleware previously copied the `Vary` header from the request when `origin` was not set to `\"*\"`.  Since `Vary` is a response header that should only be managed by the server, this could allow an attacker to influence caching behavior or cause inconsistent CORS handling.\n\nMost environments will see impact only when shared caches or proxies rely on the `Vary` header. The practical effect varies by configuration.\n\n### Impact  \nMay cause cache key pollution and inconsistent CORS enforcement in certain setups. No direct confidentiality, integrity, or availability impact in default configurations.  \n\n### Resolution  \nUpdate to the latest patched release. The CORS middleware has been corrected to handle `Vary` exclusively as a response header.",
   "severity": [
     {
       "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
     }
   ],
   "affected": [