Hono JWT Utils CVE-2026-44459
LOWSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 28 npm packages depend on hono (25 direct, 3 indirect)
Ecosystem-wide dependent count for version 4.12.18.
DescriptionGitHub Advisory
Summary
Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() - typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.
Details
The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:
- A falsy numeric value short-circuited the presence check.
- A non-finite numeric value compared as never-after-now and never-expired.
- A non-numeric type produced NaN comparisons that evaluated false.
This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.
Impact
An actor able to issue tokens accepted by the application may craft tokens whose exp, nbf, or iat claims silently bypass time-based enforcement. This may lead to:
- Tokens treated as never expiring even with
expconfigured on the verifier. - Tokens with a future
nbfaccepted as currently valid. - Tokens with a future
iataccepted as legitimately issued.
Deployments using a well-formed token issuer and protecting the signing key are not affected.
AnalysisAI
Improper validation of NumericDate claims (exp, nbf, iat) in hono/utils/jwt allows crafted JWT tokens with malformed time-based claims to silently bypass expiration and validity checks. This affects applications using Hono versions prior to 4.12.18. Exploitation requires the attacker to control token issuance or possess the signing key - unauthenticated remote exploitation is not possible. The vulnerability stems from combined short-circuiting logic that fails to reject non-finite, falsy, or non-numeric claim values as required by RFC 7519.
Technical ContextAI
Hono is a lightweight web framework for TypeScript/JavaScript runtime environments. The vulnerability exists in the JWT verification utility (hono/utils/jwt), which implements RFC 7519 token validation. NumericDate claims (exp, nbf, iat) represent UNIX timestamps and must be finite numeric values per the specification. The affected code combines presence, type, and threshold checks in a single expression using short-circuit evaluation, allowing three failure modes: (1) falsy numeric values (e.g., 0) bypass presence validation; (2) non-finite values (Infinity, NaN) produce false comparisons in time threshold checks; (3) non-numeric types (strings, objects) produce NaN comparisons that always evaluate false. This violates CWE-1284 (Improper Validation of Specified Quantity in Input).
RemediationAI
Upgrade Hono to version 4.12.18 or later. This is the vendor-released patch that corrects the validation logic to properly reject non-finite and non-numeric NumericDate claims. Immediately after patching, verify that all tokens in circulation comply with RFC 7519 (finite numeric values for exp, nbf, iat); tokens issued by legacy systems with malformed claims may fail validation post-patch and require reissuance. If immediate patching is not possible, implement compensating controls by adding pre-verification inspection of JWT payloads in your application - manually validate that exp, nbf, and iat claims are finite numbers before invoking Hono's verify() function, rejecting any token with non-numeric or non-finite time claims. Review your token issuance pipeline to eliminate malformed claim generation at the source. Restrict signing key access and audit all systems with key possession for unauthorized token generation.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hm8q-7f3q-5f36