Primary

Context

Hono Cache Middleware Cross-User Cache Leakage Vulnerability

Vulnerability

Patched

A cache leakage vulnerability has been identified in Hono versions prior to 4.12.18. The issue arises in the Cache Middleware, which fails to bypass caching for responses that indicate per-user variance through 'Vary: Authorization' or 'Vary: Cookie'. Consequently, a response cached for one authenticated user may be inadvertently served to other users. This vulnerability is particularly concerning for applications that use the Cache Middleware on endpoints delivering user-specific data, without also applying 'Cache-Control: private'.

Impact

Exploiting this vulnerability can lead to the unintentional disclosure of personally identifiable information or other user-specific data, as cached responses may be served across different users. Additionally, it can cause inconsistent or incorrect behavior in user-specific endpoints.

Remediation

Users can upgrade to Hono version 4.12.18 or later to address this vulnerability.

Added: May 13, 2026, 5:21 PM

Updated: May 13, 2026, 5:21 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

5.4

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

5.4

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hono Cache Middleware Cross-User Cache Leakage Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Hono

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating