DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24472: Total Recall: Hono Middleware's Unintentional Session Sharing

#security #cve #cybersecurity

Total Recall: Hono Middleware's Unintentional Session Sharing

Vulnerability ID: CVE-2026-24472
CVSS Score: 5.3
Published: 2026-01-27

The Hono framework's cache middleware was a little too eager to help, ignoring standard HTTP caching headers like private and no-store. This resulted in a shared cache implementation that cheerfully stored and served sensitive user sessions and cookies to unauthenticated attackers.

TL;DR

Hono < 4.11.7 contains a critical flaw in its hono/cache middleware. By failing to respect RFC 9111 directives (specifically Cache-Control: private and Set-Cookie), the middleware caches sensitive, user-specific responses. This allows attackers to perform Web Cache Deception attacks, potentially hijacking sessions or viewing private data simply by requesting the same resource after a victim.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-524 (Information Exposure Through Caching)
  • CVSS v3.1: 5.3 (Medium)
  • Attack Vector: Network (AV:N)
  • Impact: Confidentiality Loss (Session Hijacking / PII)
  • Platform: Node.js, Deno, Bun, Cloudflare Workers
  • Patch Commit: 12c511745b3f1e7a3f863a23ce5f921c7fa805d1

Affected Systems

  • Hono Web Framework (JavaScript/TypeScript)
  • Hono Middleware (cache)
  • Hono: < 4.11.7 (Fixed in: 4.11.7)

Code Analysis

Commit: 12c5117

fix(cache): check Cache-Control and Vary and Set-Cookie

+ const shouldSkipCache = (res: Response) => { ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Scenario: Web Cache Deception via standard HTTP requests to cached endpoints.

Mitigation Strategies

  • Update Hono to version 4.11.7 immediately.
  • Audit all endpoints using caching middleware.
  • Ensure sensitive endpoints explicitly set 'Cache-Control: private' or 'no-store'.

Remediation Steps:

  1. Run npm install hono@latest or yarn add hono@latest.
  2. Verify that package.json reflects version ^4.11.7.
  3. Restart the application runtime to flush any existing poisoned cache entries.

References

Read the full report for CVE-2026-24472 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)