Skip to main content

Hono JSX renderer CVE-2026-44458

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-09 https://github.com/honojs/hono GHSA-qp7p-654g-cw7p
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 09, 2026 - 01:32 vuln.today
Analysis Generated
May 09, 2026 - 01:32 vuln.today
CVE Published
May 09, 2026 - 00:46 nvd
MEDIUM 4.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 28 npm packages depend on hono (25 direct, 3 indirect)

Ecosystem-wide dependent count for version 4.12.18.

DescriptionGitHub Advisory

Summary

The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout.

Details

style object values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries - such as ;, comment markers, quoted strings, and block delimiters - are valid in HTML attribute content and can extend a value beyond its assigned property.

This issue arises when untrusted input is interpolated into a JSX style object and rendered server-side.

Impact

An attacker who can control the value or property name of a style object may inject arbitrary CSS declarations. This may lead to:

  • Visual manipulation of the page, including full-viewport overlays usable for phishing
  • Outbound requests to attacker-controlled hosts via CSS resource references such as url(...)
  • Hijacking of UI affordances through layout, positioning, or visibility changes

This issue affects applications that render JSX on the server with style object values or property names derived from untrusted input.

AnalysisAI

CSS declaration injection in Hono's JSX server-side renderer allows remote attackers to inject arbitrary CSS declarations via untrusted style object values or property names, enabling visual manipulation, outbound CSS requests to attacker hosts, and UI hijacking. Affects Hono versions before 4.12.18 when rendering JSX server-side with user-controlled style object inputs. No JavaScript execution or HTML breakout possible; impact limited to CSS scope.

Technical ContextAI

Hono is a lightweight JavaScript web framework (pkg:npm/hono) that supports server-side JSX rendering. The vulnerability resides in the JSX renderer's style attribute serialization logic. When a JSX component renders a style object (e.g., <div style={{ color: userInput }}>) server-side, the renderer escapes values for HTML attribute context but fails to escape for CSS context. This creates a mismatch: characters like semicolons (;), comment delimiters (/**/), and quoted strings that are valid CSS declaration boundaries remain unescaped. An attacker injecting ; background: url(attacker.com) into a style value breaks out of the intended property and injects new declarations. Root cause is improper input validation at the CSS parsing layer (CWE-74: Improper Neutralization of Special Elements used in an Output Command).

RemediationAI

Vendor-released patch: Hono 4.12.18 and later. Upgrade immediately by updating the hono dependency in package.json to ^4.12.18 or later and running npm install or equivalent. For applications unable to upgrade immediately, implement server-side input sanitization: strip or escape CSS-sensitive characters (;, /, *, {, }, :) from user inputs before passing them to JSX style objects, or use a CSS property allowlist that validates style property names against known safe properties only. Additionally, consider using inline style-CSP headers (style-src 'unsafe-inline' removal if feasible) to limit CSS injection scope, though this will break dynamic styling if not carefully implemented. Side effect of sanitization: legitimate user input containing these characters will be truncated or escaped, potentially breaking user-submitted styling intent; test thoroughly before production deployment.

Share

CVE-2026-44458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy