Date: 2026-06-17 Target: hono 4.12.25 (fresh 5-CVE cluster) Verdict: WALK CLEAN (CORS, the HIGH item).
GHSA-88fw-hqm2-52qc [HIGH] CORS reflects any Origin w/ credentials when origin defaults to wildcard; + 4 medium (Lambda body-limit-bypass via understated Content-Length; Lambda@Edge repeated-header drop; serve-static Windows %5C path traversal; Lambda Set-Cookie merge). Latter 4 = AWS-adapter or Windows-bound.
"reflect+credentials" cases as exploitable - but both required the DEVELOPER to explicitly allowlist the attacker origin or write a reflect-all function. Every CORS lib (express cors included) behaves identically; it is documented developer responsibility, NOT a library bug. A finding must be triggerable by the ATTACKER under a SAFE/DEFAULT config, not by the victim configuring themselves insecure. The fix's job was the unsafe DEFAULT (wildcard auto-reflection) - that is closed. Don't stage user-footgun configs as incomplete-fixes.
on Linux box, cf. tar-fs drive-relative); the 3 Lambda/ALB adapter header bugs need Lambda event shapes + are lower severity. Highest-severity item (CORS) walked; cost-govern-hard -> not deep-diving the adapter long tail.
clean walks -> stand down. n8n (30+ authz CVEs today, in-wheelhouse) remains the highest-EV fresh cluster but needs a standup/RAM decision - flagged for operator.