Hono Cache Middleware Information Disclosure Vulnerability (CVE-2024-46790) (Medium)

Listen to this Post

The vulnerability exists within the caching logic of the `@hono/cache` middleware (specifically the `httpCache` function). When processing an HTTP response, the middleware’s decision to store a response in its internal cache (e.g., in-memory or using a configured store) fails to adequately check the standard HTTP `Cache-Control` headers sent by the application. Normally, directives like `private` or `no-store` instruct caches, including intermediary proxies and browser caches, that the response contains user-specific or sensitive data and must not be stored. This middleware incorrectly overrides or ignores these semantics. If an application sets `Cache-Control: private` on a response containing authenticated user data (e.g., `/api/me` profile), the middleware may still cache the response keyed by the request URL. A subsequent request from a different, unauthenticated user to the same URL receives the cached private response from the middleware’s store instead of triggering a new request to the origin server. This behavior is dependent on the runtime; platforms like Cloudflare Workers enforce cache control at the edge network level, but runtimes like Node.js, Deno, and Bun, which rely solely on the middleware’s logic, are fully vulnerable, leading to cache deception and leakage of sensitive information.

DailyCVE Form:

Platform: Hono Cache Middleware
Version: <4.1.1
Vulnerability: Information Disclosure
Severity: Medium
Date: 2024-11-26

Prediction: Patch 2024-12-10

What Undercode Say:

Showing bash commands and codes related to the blog

Check if your project uses a vulnerable version
npm list @hono/cache
Simulate a request that may be incorrectly cached
curl -v -H "Authorization: Bearer <token>" http://app/api/private
curl -v http://app/api/private May receive cached data
// Example of vulnerable usage (even with correct headers)
import { Hono } from 'hono';
import { httpCache } from '@hono/cache';
const app = new Hono();
app.use('/api/', httpCache());
app.get('/api/user', (c) => {
// This header is ignored by vulnerable middleware
c.header('Cache-Control', 'private');
return c.json({ sensitive: 'data' });
});

How Exploit:

1. Attacker lures victim to a cached page.

2. Victim’s private response gets stored.

3. Attacker accesses same URL.

4. Attacker receives victim’s cached data.

Protection from this CVE:

Upgrade to `@hono/cache` version >=4.1.1.

Implement manual cache bypass.

Use platform-level caching (Cloudflare).

Audit endpoints for `Cache-Control` headers.

Impact:

Web Cache Deception.

Exposure of PII/session data.

Unauthorized information access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top