Intel

AIKIDO-2026-429504

@orpc/server is vulnerable to HTTP Response Header Injection

HTTP Response Header InjectionGHSA-j9v4-rhgr-4m5f Published Today

54

Medium Risk

This Affects:

JS@orpc/server
0.35.0 - 1.14.7
Fixed in 1.14.8
Are you affected? Scan for Free

TL;DR

The CORS plugin in @orpc/server copies the incoming request's Vary header directly onto the response instead of treating Vary as a server-controlled response header. Because a client controls the request Vary value, it can inject arbitrary values that are reflected back into the response Vary, influencing how shared caches and CDNs key cached responses. In deployments fronted by a shared cache or reverse proxy that keys on Vary, this can cause cache-key pollution and inconsistent CORS enforcement across clients. The fix stops copying the request Vary and instead derives the response Vary from server-controlled values, appending Origin only when it is absent.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you use the CORS plugin behind a shared cache or reverse proxy that keys on the Vary header.

Background info

@orpc/server is vulnerable to HTTP Response Header Injection in versions 0.35.0 - 1.14.7.

How to fix this

Upgrade the @orpc/server library to the patch version.