hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Vulnerability

In the CORS middleware, when credentials: true is enabled and the origin option is left unset (defaulting to *), the middleware reflects the request's Origin header and sends Access-Control-Allow-Credentials: true [1]. Affected versions fail closed by rejecting * with credentials per the CORS spec, but now succeed for every origin, including null [1]. The preflight also echoes the requested headers, approving non-simple credentialed requests [1]. This affects applications that enable credentialed CORS without restricting origin [1][2].

Exploitation

An attacker hosting a malicious website can craft a cross-origin request with credentials: 'include' to the target application [1]. The browser sends the request, and the vulnerable middleware returns Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: true [1]. The attacker’s page can then read the response body and headers, as well as perform state-changing operations like POST requests, because the preflight also allows arbitrary non-simple headers [1]. No authentication bypass or network access is needed; the victim must be logged into the target application in their browser [1].

Impact

Any third-party page a logged-in user visits can read the application's cookie-authenticated endpoints and perform credentialed state-changing requests [1]. This results in full exposure of all endpoints protected by cookies, potentially leading to data theft, account manipulation, or other actions the user can perform [1]. The impact is limited to applications that enable credentials: true without explicitly setting a specific origin [1].

Mitigation

The fix is to either explicitly set the origin option to a specific allowed origin, or to disable credentials: true when using the wildcard origin [1]. As of the publication date, the advisory indicates that affected versions require a patch that either rejects the wildcard with credentials or enforces an explicit origin list [1][2]. Users should update to a patched version once released; if no patch is available, the workaround is to configure CORS with credentials: false or provide an explicit origin array [1].