Hono JSX renderer CVE-2026-44458
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 28 npm packages depend on hono (25 direct, 3 indirect)
Ecosystem-wide dependent count for version 4.12.18.
DescriptionGitHub Advisory
Summary
The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout.
Details
style object values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries - such as ;, comment markers, quoted strings, and block delimiters - are valid in HTML attribute content and can extend a value beyond its assigned property.
This issue arises when untrusted input is interpolated into a JSX style object and rendered server-side.
Impact
An attacker who can control the value or property name of a style object may inject arbitrary CSS declarations. This may lead to:
- Visual manipulation of the page, including full-viewport overlays usable for phishing
- Outbound requests to attacker-controlled hosts via CSS resource references such as
url(...) - Hijacking of UI affordances through layout, positioning, or visibility changes
This issue affects applications that render JSX on the server with style object values or property names derived from untrusted input.
AnalysisAI
CSS declaration injection in Hono's JSX server-side renderer allows remote attackers to inject arbitrary CSS declarations via untrusted style object values or property names, enabling visual manipulation, outbound CSS requests to attacker hosts, and UI hijacking. Affects Hono versions before 4.12.18 when rendering JSX server-side with user-controlled style object inputs. No JavaScript execution or HTML breakout possible; impact limited to CSS scope.
Technical ContextAI
Hono is a lightweight JavaScript web framework (pkg:npm/hono) that supports server-side JSX rendering. The vulnerability resides in the JSX renderer's style attribute serialization logic. When a JSX component renders a style object (e.g., <div style={{ color: userInput }}>) server-side, the renderer escapes values for HTML attribute context but fails to escape for CSS context. This creates a mismatch: characters like semicolons (;), comment delimiters (/**/), and quoted strings that are valid CSS declaration boundaries remain unescaped. An attacker injecting ; background: url(attacker.com) into a style value breaks out of the intended property and injects new declarations. Root cause is improper input validation at the CSS parsing layer (CWE-74: Improper Neutralization of Special Elements used in an Output Command).
RemediationAI
Vendor-released patch: Hono 4.12.18 and later. Upgrade immediately by updating the hono dependency in package.json to ^4.12.18 or later and running npm install or equivalent. For applications unable to upgrade immediately, implement server-side input sanitization: strip or escape CSS-sensitive characters (;, /, *, {, }, :) from user inputs before passing them to JSX style objects, or use a CSS property allowlist that validates style property names against known safe properties only. Additionally, consider using inline style-CSP headers (style-src 'unsafe-inline' removal if feasible) to limit CSS injection scope, though this will break dynamic styling if not carefully implemented. Side effect of sanitization: legitimate user input containing these characters will be truncated or escaped, potentially breaking user-submitted styling intent; test thoroughly before production deployment.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qp7p-654g-cw7p