AIKIDO-2026-11187
hono is vulnerable to Permissive Cross-domain Policy
71
High Risk
This Affects:
honoTL;DR
The CORS middleware with credentials enabled and a wildcard origin reflects the request Origin header instead of rejecting the combination browsers forbid. Any third-party page a logged-in user visits can make credentialed cross-origin requests and read cookie-authenticated API responses. Previously the wildcard plus credentials case failed closed, but origin reflection made every origin succeed. The fix stops reflecting arbitrary origins and no longer adds Vary Origin for wildcard-only configuration.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range. and your application enables credentialed CORS without explicitly restricting the allowed origin.
Background info
hono is vulnerable to Permissive Cross-domain Policy in versions 0.0.1 - 4.12.24.
How to fix this
Upgrade the hono library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant