Hono
CVE-2026-22817
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 83 npm packages depend on hono (61 direct, 24 indirect)
Ecosystem-wide dependent count for version 4.11.4.
DescriptionGitHub Advisory
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4.
AnalysisAI
Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that allows attackers to forge authentication tokens when the JWK lacks explicit algorithm specification. An unauthenticated remote attacker can exploit this by manipulating the JWT header's alg value to bypass signature verification in affected configurations. The vulnerability is resolved in version 4.11.4, which now requires explicit algorithm specification to prevent header-driven algorithm confusion.
Technical ContextAI
This vulnerability (CWE-347: Improper Verification of Cryptographic Signature) affects Hono. Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly speci
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 4.11.4.. Restrict network access to the affected service where possible.
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),
Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita
Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]
Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro
Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh
Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all
Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per
Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional SSE fields within t
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-f67f-6cw9-8mq4