Skip to main content

Hono JWT Utils CVE-2026-44459

LOW
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-05-09 https://github.com/honojs/hono GHSA-hm8q-7f3q-5f36
3.8
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.8 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 09, 2026 - 01:32 vuln.today
Analysis Generated
May 09, 2026 - 01:32 vuln.today
CVE Published
May 09, 2026 - 00:45 nvd
LOW 3.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 28 npm packages depend on hono (25 direct, 3 indirect)

Ecosystem-wide dependent count for version 4.12.18.

DescriptionGitHub Advisory

Summary

Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() - typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.

Details

The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:

  • A falsy numeric value short-circuited the presence check.
  • A non-finite numeric value compared as never-after-now and never-expired.
  • A non-numeric type produced NaN comparisons that evaluated false.

This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.

Impact

An actor able to issue tokens accepted by the application may craft tokens whose exp, nbf, or iat claims silently bypass time-based enforcement. This may lead to:

  • Tokens treated as never expiring even with exp configured on the verifier.
  • Tokens with a future nbf accepted as currently valid.
  • Tokens with a future iat accepted as legitimately issued.

Deployments using a well-formed token issuer and protecting the signing key are not affected.

AnalysisAI

Improper validation of NumericDate claims (exp, nbf, iat) in hono/utils/jwt allows crafted JWT tokens with malformed time-based claims to silently bypass expiration and validity checks. This affects applications using Hono versions prior to 4.12.18. Exploitation requires the attacker to control token issuance or possess the signing key - unauthenticated remote exploitation is not possible. The vulnerability stems from combined short-circuiting logic that fails to reject non-finite, falsy, or non-numeric claim values as required by RFC 7519.

Technical ContextAI

Hono is a lightweight web framework for TypeScript/JavaScript runtime environments. The vulnerability exists in the JWT verification utility (hono/utils/jwt), which implements RFC 7519 token validation. NumericDate claims (exp, nbf, iat) represent UNIX timestamps and must be finite numeric values per the specification. The affected code combines presence, type, and threshold checks in a single expression using short-circuit evaluation, allowing three failure modes: (1) falsy numeric values (e.g., 0) bypass presence validation; (2) non-finite values (Infinity, NaN) produce false comparisons in time threshold checks; (3) non-numeric types (strings, objects) produce NaN comparisons that always evaluate false. This violates CWE-1284 (Improper Validation of Specified Quantity in Input).

RemediationAI

Upgrade Hono to version 4.12.18 or later. This is the vendor-released patch that corrects the validation logic to properly reject non-finite and non-numeric NumericDate claims. Immediately after patching, verify that all tokens in circulation comply with RFC 7519 (finite numeric values for exp, nbf, iat); tokens issued by legacy systems with malformed claims may fail validation post-patch and require reissuance. If immediate patching is not possible, implement compensating controls by adding pre-verification inspection of JWT payloads in your application - manually validate that exp, nbf, and iat claims are finite numbers before invoking Hono's verify() function, rejecting any token with non-numeric or non-finite time claims. Review your token issuance pipeline to eliminate malformed claim generation at the source. Restrict signing key access and audit all systems with key possession for unauthorized token generation.

Share

CVE-2026-44459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy