Hono
CVE-2026-22818
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 83 npm packages depend on hono (61 direct, 24 indirect)
Ecosystem-wide dependent count for version 4.11.4.
DescriptionGitHub Advisory
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. This vulnerability is fixed in 4.11.4.
AnalysisAI
Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS verification middleware, enabling attackers to forge valid tokens when the selected JWK lacks an explicit algorithm definition. An unauthenticated remote attacker can exploit this to bypass JWT signature verification and gain unauthorized access to affected applications. The vulnerability has been patched in version 4.11.4, which now requires explicit algorithm allowlists instead of deriving algorithms from untrusted JWT headers.
Technical ContextAI
This vulnerability (CWE-347: Improper Verification of Cryptographic Signature) affects Hono. Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an expl
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 4.11.4.. Restrict network access to the affected service where possible.
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),
Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita
Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]
Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro
Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh
Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all
Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per
Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional SSE fields within t
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3vhc-576x-3qv4