GHSA-p77w-8qqv-26rm

Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users.

Details

The Cache Middleware skips caching when a response carries Vary: *, certain Cache-Control directives (private, no-store, no-cache), or Set-Cookie. However, Vary: Authorization and Vary: Cookie — the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses — are not treated as cache-skip reasons.

This issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on Vary: Authorization or Vary: Cookie to scope the response per user, without also setting Cache-Control: private.

Impact

A user may receive a cached response that was originally generated for a different authenticated user. This may lead to:

Disclosure of personally identifiable information or other user-specific data present in the response body
Inconsistent or incorrect behavior in user-specific endpoints

This issue affects applications that use the Cache Middleware on endpoints whose responses vary by Authorization or Cookie and that do not also set Cache-Control: private.

Database specific

{
    "cwe_ids": [
        "CWE-524"
    ],
    "github_reviewed_at": "2026-05-09T00:28:46Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2026-05-13T16:16:57Z"
}

References

Affected packages

npm / hono

Package

Name: hono; View open source insights on deps.dev
Purl: pkg:npm/hono

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.12.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-p77w-8qqv-26rm/GHSA-p77w-8qqv-26rm.json"