CVE-2026-44457
MEDIUM5.3EPSS 0.04%Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
描述
### Summary Cache Middleware does not skip caching for responses that declare per-user variance via `Vary: Authorization` or `Vary: Cookie`. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. ### Details The Cache Middleware skips caching when a response carries `Vary: *`, certain `Cache-Control` directives (`private`, `no-store`, `no-cache`), or `Set-Cookie`. However, `Vary: Authorization` and `Vary: Cookie` — the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses — are not treated as cache-skip reasons. This issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on `Vary: Authorization` or `Vary: Cookie` to scope the response per user, without also setting `Cache-Control: private`. ### Impact A user may receive a cached response that was originally generated for a different authenticated user. This may lead to: - Disclosure of personally identifiable information or other user-specific data present in the response body - Inconsistent or incorrect behavior in user-specific endpoints This issue affects applications that use the Cache Middleware on endpoints whose responses vary by `Authorization` or `Cookie` and that do not also set `Cache-Control: private`.
受影響套件(1)
- npm/honofrom 0, < 4.12.18
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |