HTTP Request Smuggling Affecting hono package, versions <4.10.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-HONO-13720736
- published27 Oct 2025
- disclosed24 Oct 2025
- creditUnknown
Introduced: 24 Oct 2025
New CVE NOT AVAILABLE CWE-444 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade hono to version 4.10.3 or higher.
Overview
hono is an Ultrafast web framework for the Edges
Affected versions of this package are vulnerable to HTTP Request Smuggling via the CORS middleware, which copies the Vary header from the request to the response when the origin is not set to "*". An attacker can influence cache behavior or cause inconsistent cross-origin resource sharing enforcement by supplying crafted Vary headers in requests.
Note:
This is exploitable if shared caches or proxies rely on the Vary header for cache key calculation.