Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue.
Published: 2026-01-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability lies in Hono's cache middleware, which ignores standard cache‑control headers such as `Cache-Control: private` and `Cache-Control: no-store`. This negligence permits private or authenticated responses to be stored in shared caches, exposing confidential data to unintended recipients. The weakness corresponds to CWE-524 and CWE-613, indicating improper handling of cache‑related security controls.

Affected Systems

The issue affects the Hono framework from HonoJS, specifically any installation using versions earlier than 4.11.7. All releases up to and excluding 4.11.7 are vulnerable. The framework relies on JavaScript runtimes, but the root cause resides in the middleware layer of the Hono framework.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity. Exploitability is low, with an EPSS score below 1% and no presence in the CISA KEV catalog, suggesting limited real‑world exploitation. The attack vector would be via normal HTTP traffic to a vulnerable application. An adversary could trigger the caching of sensitive responses by making authenticated requests and then retrieve the cached content through a subsequent anonymous request, resulting in the disclosure of confidential information.

Generated by OpenCVE AI on April 18, 2026 at 14:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Hono v4.11.7 or later to receive the fix that properly honors cache‑control directives.
  • Manually enforce proper cache directives on all responses that contain private or authenticated data—set `Cache-Control: private, no-store` or disable caching for those endpoints.
  • Configure the HTTP reverse proxy or CDN to strip or override cache headers on protected resources if the application cannot guarantee correct behavior.

Generated by OpenCVE AI on April 18, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6wqw-2p9w-4vw4 Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
History

Wed, 04 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono hono
Vendors & Products Hono
Hono hono

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue.
Title Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
Weaknesses CWE-524
CWE-613
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T20:52:05.494Z

Reserved: 2026-01-23T00:38:20.547Z

Link: CVE-2026-24472

cve-icon Vulnrichment

Updated: 2026-01-27T20:36:38.513Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T20:16:22.950

Modified: 2026-02-04T15:32:14.550

Link: CVE-2026-24472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses