@orpc/server is vulnerable to HTTP Response Header Injection
54
Medium Risk
The CORS plugin in @orpc/server copies the incoming request's Vary header directly onto the response instead of treating Vary as a server-controlled response header. Because a client controls the request Vary value, it can inject arbitrary values that are reflected back into the response Vary, influencing how shared caches and CDNs key cached responses. In deployments fronted by a shared cache or reverse proxy that keys on Vary, this can cause cache-key pollution and inconsistent CORS enforcement across clients. The fix stops copying the request Vary and instead derives the response Vary from server-controlled values, appending Origin only when it is absent.
You are affected if you are using a version that falls within the vulnerable range and you use the CORS plugin behind a shared cache or reverse proxy that keys on the Vary header.
@orpc/server is vulnerable to HTTP Response Header Injection in versions 0.35.0 - 1.14.7.
Upgrade the @orpc/server library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant