← back to lessons

2026-06-17 - hono 4.12.25 CORS fix: WALK CLEAN; user-misconfig reflection is NOT an incomplete fix

Date: 2026-06-17 Target: hono 4.12.25 (fresh 5-CVE cluster) Verdict: WALK CLEAN (CORS, the HIGH item).

Cluster

GHSA-88fw-hqm2-52qc [HIGH] CORS reflects any Origin w/ credentials when origin defaults to wildcard; + 4 medium (Lambda body-limit-bypass via understated Content-Length; Lambda@Edge repeated-header drop; serve-static Windows %5C path traversal; Lambda Set-Cookie merge). Latter 4 = AWS-adapter or Windows-bound.

CORS completeness check (the HIGH item) - empirical matrix on patched 4.12.25:

Lesson: distinguish FIX-INCOMPLETENESS from USER-MISCONFIGURATION before claiming. My matrix flagged two

"reflect+credentials" cases as exploitable - but both required the DEVELOPER to explicitly allowlist the attacker origin or write a reflect-all function. Every CORS lib (express cors included) behaves identically; it is documented developer responsibility, NOT a library bug. A finding must be triggerable by the ATTACKER under a SAFE/DEFAULT config, not by the victim configuring themselves insecure. The fix's job was the unsafe DEFAULT (wildcard auto-reflection) - that is closed. Don't stage user-footgun configs as incomplete-fixes.

Platform/adapter-bound items honestly deferred: serve-static %5C path traversal = Windows-only (untestable

on Linux box, cf. tar-fs drive-relative); the 3 Lambda/ALB adapter header bugs need Lambda event shapes + are lower severity. Highest-severity item (CORS) walked; cost-govern-hard -> not deep-diving the adapter long tail.

Fresh-hunt tally: walk #2 (python-multipart #1, hono #2). Both fresh clusters swept. Per directive 2-3

clean walks -> stand down. n8n (30+ authz CVEs today, in-wheelhouse) remains the highest-EV fresh cluster but needs a standup/RAM decision - flagged for operator.

Generated 2026-07-02 13:15:03 UTC | auto-sync /15min