Hono Web Framework Cache Middleware Information Disclosure Vulnerability

A vulnerability in the Cache Middleware of the Hono web application framework, prior to version 4.11.7, allows for information disclosure. This issue arises from improper handling of HTTP cache control directives. The middleware fails to respect standard cache control headers such as 'Cache-Control: private' or 'Cache-Control: no-store'. As a result, private or authenticated responses may be cached and later exposed to unauthorized users. This vulnerability affects applications using the Hono cache middleware on Deno, Bun, or Node.js runtimes.

Impact

Exploitation of this vulnerability can lead to Web Cache Deception and information disclosure. Cached responses that are meant to be private can be accessed by unauthorized users, potentially exposing sensitive data such as personally identifiable information or session-related information.

Reproduction

The vulnerability can be reproduced by sending a response with a 'Cache-Control' header set to 'private' or 'no-store' through an application using Hono Cache Middleware. After the response is cached, an unauthorized request can be made to access the cached data, demonstrating the information disclosure flaw.

Remediation

Users are advised to upgrade to Hono version 4.11.7, which includes a patch for this vulnerability.