Summary
A flaw in the CORS middleware allowed request Vary headers to be reflected into the response, enabling attacker-controlled Vary values and potentially affecting cache behavior.
Details
The middleware previously copied the Vary header from the request when origin was not set to "*". Since Vary is a response header that should only be managed by the server, this could allow an attacker to influence caching behavior or cause inconsistent CORS handling.
Most environments will see impact only when shared caches or proxies rely on the Vary header. The practical effect varies by configuration.
Impact
May cause cache key pollution and inconsistent CORS enforcement in certain setups. No direct confidentiality, integrity, or availability impact in default configurations.
Resolution
Update to the latest patched release. The CORS middleware has been corrected to handle Vary exclusively as a response header.
Summary
A flaw in the CORS middleware allowed request
Varyheaders to be reflected into the response, enabling attacker-controlledVaryvalues and potentially affecting cache behavior.Details
The middleware previously copied the
Varyheader from the request whenoriginwas not set to"*". SinceVaryis a response header that should only be managed by the server, this could allow an attacker to influence caching behavior or cause inconsistent CORS handling.Most environments will see impact only when shared caches or proxies rely on the
Varyheader. The practical effect varies by configuration.Impact
May cause cache key pollution and inconsistent CORS enforcement in certain setups. No direct confidentiality, integrity, or availability impact in default configurations.
Resolution
Update to the latest patched release. The CORS middleware has been corrected to handle
Varyexclusively as a response header.