fix(deps): update dependency hono to v4.12.25 [security]#559
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency hono to v4.12.25 [security]#559renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
![renovate-approve-2[bot]](https://avatars.githubusercontent.com/in/62175?s=60&v=4){kind=small}
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
renovate
Bot
dismissed stale reviews from renovate-approve[bot] and renovate-approve-2[bot]
via
fd0a89d
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
80add90 to
fd0a89d
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
dismissed stale reviews from renovate-approve[bot] and renovate-approve-2[bot]
via
b9bd8ac
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
fd0a89d to
b9bd8ac
Compare
renovate
Bot
dismissed stale reviews from renovate-approve[bot] and renovate-approve-2[bot]
via
0e074fe
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
b9bd8ac to
0e074fe
Compare
renovate
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.12.14→4.12.25Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
CVE-2026-44456 / GHSA-9vqf-7f2p-gf9v
More information
Details
Summary
bodyLimit()does not reliably enforcemaxSizefor requests without a usableContent-Length(e.g.Transfer-Encoding: chunked). Oversized requests can reach handlers and return200instead of413.Details
For chunked / unknown-length requests,
bodyLimit()wraps the body in a stream that counts bytes asynchronously, then runs the handler before the size decision is final. The413is only applied afterwards by checkingc.error.This lets the limit be bypassed when:
try/catch.In all three cases the handler returns
200before the limit check completes (or its result is observed).The fix is to enforce the size decision before
next()runs, instead of retrofitting the response viac.errorafterwards.Impact
Applications relying on
bodyLimit()as a hard boundary can be bypassed: oversized chunked requests can reach handler logic and return successful responses. Per-request data exposure is bounded bymaxSize, but the documented guarantee — "oversized requests are rejected before business logic runs" — does not hold.Credits
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
CVE-2026-44455 / GHSA-69xw-7hcm-h432
More information
Details
Summary
Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output.
When untrusted input is used as a tag name via the programmatic
jsx()orcreateElement()APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML.Details
When rendering JSX elements to HTML strings, attribute values are escaped and attribute names are validated. However, element tag names were previously inserted into the output without validation.
If a tag name contains characters such as
<,>, quotes, or whitespace, it may alter the structure of the generated HTML.For example, malformed tag names can:
This issue arises when untrusted input (such as query parameters or database content) is used as JSX tag names via
jsx()orcreateElement()during server-side rendering.Impact
An attacker who can control tag names used in JSX rendering may inject unintended HTML into the generated output.
This may lead to:
This issue only affects applications that construct JSX tag names from untrusted input. Applications using static or allowlisted tag names are not affected.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
CVE-2026-44457 / GHSA-p77w-8qqv-26rm
More information
Details
Summary
Cache Middleware does not skip caching for responses that declare per-user variance via
Vary: AuthorizationorVary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users.Details
The Cache Middleware skips caching when a response carries
Vary: *, certainCache-Controldirectives (private,no-store,no-cache), orSet-Cookie. However,Vary: AuthorizationandVary: Cookie— the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses — are not treated as cache-skip reasons.This issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on
Vary: AuthorizationorVary: Cookieto scope the response per user, without also settingCache-Control: private.Impact
A user may receive a cached response that was originally generated for a different authenticated user. This may lead to:
This issue affects applications that use the Cache Middleware on endpoints whose responses vary by
AuthorizationorCookieand that do not also setCache-Control: private.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
CVE-2026-44459 / GHSA-hm8q-7f3q-5f36
More information
Details
Summary
Improper validation of the JWT NumericDate claims
exp,nbf, andiatinhono/utils/jwtallows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reachesverify()— typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.Details
The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:
This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.
Impact
An actor able to issue tokens accepted by the application may craft tokens whose
exp,nbf, oriatclaims silently bypass time-based enforcement. This may lead to:expconfigured on the verifier.nbfaccepted as currently valid.iataccepted as legitimately issued.Deployments using a well-formed token issuer and protecting the signing key are not affected.
Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
CVE-2026-44458 / GHSA-qp7p-654g-cw7p
More information
Details
Summary
The JSX renderer escapes
styleattribute object values for HTML but not for CSS. Untrusted input in astyleobject value or property name can therefore inject additional CSS declarations into the renderedstyleattribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout.Details
styleobject values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries — such as;, comment markers, quoted strings, and block delimiters — are valid in HTML attribute content and can extend a value beyond its assigned property.This issue arises when untrusted input is interpolated into a JSX
styleobject and rendered server-side.Impact
An attacker who can control the value or property name of a
styleobject may inject arbitrary CSS declarations. This may lead to:url(...)This issue affects applications that render JSX on the server with
styleobject values or property names derived from untrusted input.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
CVE-2026-47673 / GHSA-f577-qrjj-4474
More information
Details
Summary
The
jwtandjwkmiddlewares do not verify that theAuthorizationheader value uses theBearerscheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearerscheme identifier (such asBasicorToken) is authenticated identically to a correctly formedBearerrequest.Details
When processing an
Authorization(or custom) header, the middleware splits the value on whitespace and uses the second token as the JWT to verify. It does not check that the first token isbearer(case-insensitively). RFC 6750 specifies that JWT bearer tokens must be presented using theBearerscheme; other scheme identifiers carry distinct semantics and may be subject to different policies in network-layer security controls.This discrepancy means that scheme-aware external controls — such as WAF rules, API gateways, or reverse proxies that apply policies specific to the
Bearerscheme identifier — can be bypassed by presenting a valid JWT under a different scheme name.This issue affects
hono/jwtandhono/jwkmiddleware.Impact
An attacker who possesses a valid JWT may present it under a non-
Bearerscheme identifier and still pass middleware authentication.This may lead to:
This issue affects applications where
hono/jwtorhono/jwkauthentication is combined with external controls that enforce scheme-based access policies.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
CVE-2026-47674 / GHSA-xrhx-7g5j-rcj5
More information
Details
Summary
The
ip-restrictionmiddleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped.Details
When the rule matcher is built, each configured IP rule is normalized to a canonical string form. Incoming IP addresses received at request time are then compared against those canonical strings without applying the same normalization. Because IPv6 permits multiple syntactically different representations of the same numeric address, a non-canonical form of a denied address fails the string lookup and proceeds to the CIDR check, which also finds no match for rules registered as static (no prefix length). The request is then allowed.
Affected non-canonical forms include:
2001:db8::1vs2001:db8:0:0:0:0:0:1)::ffff:7f00:1vs::ffff:127.0.0.1)fe80::1%eth0)Additionally, invalid IP address strings provided as the remote address are not rejected and may result in unexpected allow or deny behavior.
This issue arises when applications use
ipRestriction()with static (non-CIDR) rules and the IP address source can supply addresses in non-canonical IPv6 form.Impact
A request from an IP address covered by a static deny rule may bypass the restriction if the address is presented in a non-canonical IPv6 form.
This may lead to:
This issue affects applications using
hono/ip-restrictionwith static deny rules for IPv4 or IPv6 addresses, particularly when the source address is derived from proxy headers or customgetIPimplementations that may return non-canonical forms.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
CVE-2026-47675 / GHSA-3hrh-pfw6-9m5x
More information
Details
Summary
The
serialize()function inhono/cookievalidatesdomainandpathoptions against characters that corruptSet-Cookieheader syntax (;,\r,\n), but does not apply the same validation tosameSiteandpriority. An application that passes user-controlled input into either option may produce aSet-Cookieresponse header containing attacker-chosen additional attributes.Details
When constructing a
Set-Cookieheader value,serialize()appends thesameSiteandpriorityoption values directly into the output string after a presentation-only transformation (capitalizing the first character). Although the TypeScript type signature constrains these options to specific string literals, that constraint is not enforced at runtime; any string value, including one containing;or line-feed characters, passes through unchanged.The validation guard that rejects
;,\r, and\nfromdomainandpathis not applied tosameSiteorpriority. An application that passes a request-derived value to either option therefore provides an injection point into the header line.This issue arises when an application passes user-controlled input to the
sameSiteorpriorityoption ofsetCookie()orserialize().Impact
An attacker who can control the
sameSiteorpriorityoption value may inject additional attributes into aSet-Cookieresponse header.This may lead to:
Domain,Path,HttpOnly,Secure, orMax-Agefor the affected cookieSet-Cookieheader in the same responseThis issue affects applications that pass user-derived input into the
sameSiteorpriorityoption ofhono/cookieserialization functions.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
CVE-2026-47676 / GHSA-2gcr-mfcq-wcc3
More information
Details
Summary
app.mount()strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path.Details
When
app.mount(prefix, subApp)is called, Hono calculates the number of characters to strip based on the decoded mount prefix length, but then applies that slice to the raw URL pathname. When the URL contains percent-encoded characters that expand to fewer characters when decoded (such as encoded non-ASCII characters), the two representations have different lengths, so the prefix is stripped at the wrong byte offset.As a result, the sub-application receives a path that does not correspond to the intended sub-path — it may receive a partial or garbled path instead of the expected value after the mount prefix is removed.
This issue arises when an application uses
app.mount()with paths that contain percent-encoded characters, particularly when the mount prefix itself or the request path contains encoded non-ASCII characters.Impact
A mounted sub-application may receive an incorrectly stripped path, causing requests to be routed to unintended handlers within the sub-application.
This may lead to:
This issue affects applications that use
app.mount()where the request URL may contain percent-encoded characters in the mount prefix or subsequent path segments.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono: AWS Lambda adapter merges multiple
Set-Cookieheaders into one value, dropping cookies on ALB single-header and LatticeCVE-2026-54287 / GHSA-j6c9-x7qj-28xf
More information
Details
Summary
On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple
Set-Cookieheaders into one comma-separated value. Because commas also appear inside cookie attributes (for exampleExpiresdates), clients cannot split the value back into individual cookies and silently drop or misparse them.Details
Per RFC 6265, each cookie must be its own
Set-Cookieheader line, and commas may appear inside attribute values. Joining cookies with", "collides with those commas, producing a value that clients cannot reliably split. Only ALB single-header mode and VPC Lattice v2 are affected; API Gateway v1/v2 and ALB with multi-value headers enabled already use an array and are unaffected.Impact
A client may receive only one of the cookies, a malformed cookie, or none. Session, CSRF, or preference cookies can silently fail to apply, breaking sessions or forcing re-authentication. This affects applications that set multiple cookies per response and run on AWS Lambda behind an ALB in single-header mode (the default) or VPC Lattice v2.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono: Path traversal in
serve-staticon Windows via encoded backslash (%5C)CVE-2026-54286 / GHSA-wwfh-h76j-fc44
More information
Details
Summary
On Windows hosts, an encoded backslash (
%5C) in the request path decodes to\, which the Windows path resolver treats as a separator.serve-staticthen resolves a single URL segment such asadmin\secret.txtinto a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. Directory escape (..) remains blocked.Details
The router splits paths only on
/, so/admin%5Csecret.txtis one segment and middleware on/admin/*does not run. Theserve-staticguard rejects./..and consecutive separators but lets a lone\through; on Windows the file resolver re-splits it into the protected subtree.This affects Windows hosts serving static files via the Node, Bun, or Deno adapters that guard a static subtree with prefix-mounted middleware.
Impact
An unauthenticated attacker can read static files under a middleware-guarded prefix on Windows hosts. The read stays within the configured root; escape outside the root is not possible.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono: CORS Middleware reflects any Origin with credentials when
origindefaults to the wildcardCVE-2026-54290 / GHSA-88fw-hqm2-52qc
More information
Details
Summary
With
credentials: trueand no explicitorigin(the default wildcard), the CORS Middleware reflects the request'sOriginand sendsAccess-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins.Details
The spec forbids
Access-Control-Allow-Origin: *with credentials and browsers reject it, so this configuration used to fail closed. In affected versions the middleware reflects the requestOrigininstead, so it now succeeds for every origin, includingnull. The preflight also echoes the requested headers back, approving non-simple credentialed requests too.This issue arises when an application enables
credentials: trueand leavesoriginunset or set to the wildcard.Impact
Any third-party page a logged-in user visits can read the application's cookie-authenticated endpoints and perform credentialed state-changing requests. This affects applications that enable credentialed CORS without restricting
origin.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
CVE-2026-54289 / GHSA-wgpf-jwqj-8h8p
More information
Details
Summary
On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with
Headers.setinstead ofHeaders.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such asX-Forwarded-For,Forwarded, andViaare silently truncated to a single value.Details
A repeated request header carries an ordered list of values. The adapter iterates the list but overwrites on each step, keeping only the final value. Middleware that depends on the full list — for example IP restriction that walks the
X-Forwarded-Forchain, or auditing based onForwarded/Viahops — receives incomplete data. The API Gateway adapter already appends repeated values and is not affected.This issue arises only on Lambda@Edge deployments, for requests that contain the same header more than once.
Impact
Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the
X-Forwarded-Forchain, this can weaken or alter that decision; for auditing, hop history is lost. This affects applications deployed on AWS Lambda@Edge that rely on multi-value request headers.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating
Content-LengthCVE-2026-54288 / GHSA-rv63-4mwf-qqc2
More information
Details
Summary
The Body Limit Middleware trusts the request's
Content-Lengthheader to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declaredContent-Length, which need not match the actual payload. A client can declare a tinyContent-Lengthwhile sending a much larger body, slipping past the limit.Details
When
Content-Lengthis present andTransfer-Encodingis absent, the middleware compares the declared value against the limit and passes the request through if it is small enough. On standards-based runtimes the transport enforces thatContent-Lengthmatches the body, so this is safe. The Lambda adapters instead reconstruct the request from a buffered payload and copy the client'sContent-Lengthverbatim, so the declared length and the real body size are decoupled.This issue affects applications deployed on AWS Lambda that rely on the Body Limit Middleware to cap request body size.
Impact
The declared body-size limit can be bypassed: a handler reads a payload larger than the configured maximum. Processing the oversized payload (large JSON, multipart, etc.) consumes additional CPU and memory per request. The payload remains bounded by the platform's request size limits, and Lambda isolates invocations, so the impact is increased per-request resource usage rather than full denial of service. This affects applications deployed on AWS Lambda that use the Body Limit Middleware.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
CVE-2026-44455 / GHSA-69xw-7hcm-h432
More information
Details
Summary
Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output.
When untrusted input is used as a tag name via the programmatic
jsx()orcreateElement()APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML.Details
When rendering JSX elements to HTML strings, attribute values are escaped and attribute names are validated. However, element tag names were previously inserted into the output without validation.
If a tag name contains characters such as
<,>, quotes, or whitespace, it may alter the structure of the generated HTML.For example, malformed tag names can:
This issue arises when untrusted input (such as query parameters or database content) is used as JSX tag names via
jsx()orcreateElement()during server-side rendering.Impact
An attacker who can control tag names used in JSX rendering may inject unintended HTML into the generated output.
This may lead to:
This issue only affects applications that construct JSX tag names from untrusted input. Applications using static or allowlisted tag names are not affected.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
CVE-2026-44456 / GHSA-9vqf-7f2p-gf9v
More information
Details
Summary
bodyLimit()does not reliably enforcemaxSizefor requests without a usableContent-Length(e.g.Transfer-Encoding: chunked). Oversized requests can reach handlers and return200instead of413.Details
For chunked / unknown-length requests,
bodyLimit()wraps the body in a stream that counts bytes asynchronously, then runs the handler before the size decision is final. The413is only applied afterwards by checkingc.error.This lets the limit be bypassed when:
try/catch.In all three cases the handler returns
200before the limit check completes (or its result is observed).The fix is to enforce the size decision before
next()runs, instead of retrofitting the response viac.errorafterwards.Impact
Applications relying on
bodyLimit()as a hard boundary can be bypassed: oversized chunked requests can reach handler logic and return successful responses. Per-request data exposure is bounded bymaxSize, but the documented guarantee — "oversized requests are rejected before business logic runs" — does not hold.Credits
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
CVE-2026-44459 / GHSA-hm8q-7f3q-5f36
More information
Details
Summary
Improper validation of the JWT NumericDate claims
exp,nbf, andiatinhono/utils/jwtallows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reachesverify()— typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.Details
The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:
This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.
Impact
An actor able to issue tokens accepted by the application may craft tokens whose
exp,nbf, oriatclaims silently bypass time-based enforcement. This may lead to:expconfigured on the verifier.nbfaccepted as currently valid.iataccepted as legitimately issued.Deployments using a well-formed token issuer and protecting the signing key are not affected.
Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
CVE-2026-44457 / GHSA-p77w-8qqv-26rm
More information
Details
Summary
Cache Middleware does not skip caching for responses that declare per-user variance via
Vary: AuthorizationorVary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users.Details
The Cache Middleware skips caching when a response carries
Vary: *, certainCache-Controldirectives (private,no-store,no-cache), orSet-Cookie. However,Vary: AuthorizationandVary: Cookie— the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses — are not treated as cache-skip reasons.This issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on
Vary: AuthorizationorVary: Cookieto scope the response per user, without also settingCache-Control: private.Impact
A user may receive a cached response that was originally generated for a different authenticated user. This may lead to:
This issue affects applications that use the Cache Middleware on endpoints whose responses vary by
AuthorizationorCookieand that do not also setCache-Control: private.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
CVE-2026-44458 / GHSA-qp7p-654g-cw7p
More information
Details
Summary
The JSX renderer escapes
styleattribute object values for HTML but not for CSS. Untrusted input in astyleobject value or property name can therefore inject additional CSS declarations into the renderedstyleattribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout.Details
styleobject values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries — such as;, comment markers, quoted strings, and block delimiters — are valid in HTML attribute content and can extend a value beyond its assigned property.This issue arises when untrusted input is interpolated into a JSX
styleobject and rendered server-side.Impact
An attacker who can control the value or property name of a
styleobject may inject arbitrary CSS declarations. This may lead to:url(...)This issue affects applications that render JSX on the server with
styleobject values or property names derived from untrusted input.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
CVE-2026-47676 / GHSA-2gcr-mfcq-wcc3
More information
Details
Summary
app.mount()strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path.Details
When
app.mount(prefix, subApp)is called, Hono calculates the number of characters to strip based on the decoded mount prefix length, but then applies that slice to the raw URL pathname. When the URL contains percent-encoded characters that expand to fewer characters when decoded (such as encoded non-ASCII characters), the two representations have different lengths, so the prefix is stripped at the wrong byte offset.As a result, the sub-application receives a path that does not correspond to the intended sub-path — it may receive a partial or garbled path instead of the expected value after the mount prefix is removed.
This issue arises when an application uses
app.mount()with paths that contain percent-encoded characters, particularly when the mount prefix itself or the request path contains encoded non-ASCII characters.Impact
A mounted sub-application may receive an incorrectly stripped path, causing requests to be routed to unintended handlers within the sub-application.
This may lead to:
This issue affects applications that use
app.mount()where the request URL may contain percent-encoded characters in the mount prefix or subsequent path segments.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
CVE-2026-47675 / GHSA-3hrh-pfw6-9m5x
More information
Details
Summary
The
serialize()function inhono/cookievalidatesdomainandpathoptions against characters that corruptSet-Cookieheader syntax (;,\r,\n), but does not apply the same validation tosameSiteandpriority. An application that passes user-controlled input into either option may produce aSet-Cookieresponse header containing attacker-chosen additional attributes.Details
When constructing a
Set-Cookieheader value,serialize()appends thesameSiteandpriorityoption values directly into the output string after a presentation-only transformation (capitalizing the first character). Although the TypeScript type signature constrains these options to specific string literals, that constraint is not enforced at runtime; any string value, including one containing;or line-feed characters, passes through unchanged.The validation guard that rejects
;,\r, and\nfromdomainandpathis not applied tosameSiteorpriority. An application that passes a request-derived value to either option therefore provides an injection point into the header line.This issue arises when an application passes user-controlled input to the
sameSiteorpriorityoption ofsetCookie()orserialize().Impact
An attacker who can control the
sameSiteorpriorityoption value may inject additional attributes into aSet-Cookieresponse header.This may lead to:
Domain,Path,HttpOnly,Secure, orMax-Agefor the affected cookieSet-Cookieheader in the same responseThis issue affects applications that pass user-derived input into the
sameSiteorpriorityoption ofhono/cookieserialization functions.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
CVE-2026-47673 / GHSA-f577-qrjj-4474
More information
Details
Summary
The
jwtandjwkmiddlewares do not verify that theAuthorizationheader value uses theBearerscheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearerscheme identifier (such asBasicorToken) is authenticated identically to a correctly formedBearerrequest.Details
When processing an
Authorization(or custom) header, the middleware splits the value on whitespace and uses the second token as the JWT to verify. It does not check that the first token isbearer(case-insensitively). RFC 6750 specifies that JWT bearer tokens must be presented using theBearerscheme; other scheme identifiers carry distinct semantics and may be subject to different policies in network-layer security controls.This discrepancy means that scheme-aware external controls — such as WAF rules, API gateways, or reverse proxies that apply policies specific to the
Bearerscheme identifier — can be bypassed by presenting a valid JWT under a different scheme name.This issue affects
hono/jwtandhono/jwkmiddleware.Impact
An attacker who possesses a valid JWT may present it under a non-
Bearerscheme identifier and still pass middleware authentication.This may lead to:
This issue affects applications where
hono/jwtorhono/jwkauthentication is combined with external controls that enforce scheme-based access policies.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hono: IP Restriction bypasses static de