Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Race condition requires concurrent async requests (AC:H); no attacker credentials needed (PR:N); context leakage yields high confidentiality impact and low integrity impact across user boundaries.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight request to be used after an await in an async component. This issue is fixed in version 4.12.27.
AnalysisAI
Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per request, enabling cross-request data leakage under concurrent load. When async components yield at an await boundary, the shared context store can be overwritten by a concurrent in-flight request, causing createContext, useContext, jsxRenderer, or useRequestContext data from one user's session to bleed into another user's response. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application to run Hono versions 4.11.8 through before 4.12.27 with server-side rendering enabled via hono/jsx, and to use at least one async JSX component (containing an await expression) that reads from context via createContext, useContext, jsxRenderer, or useRequestContext. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 6.5 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N is consistent with the described vulnerability class. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker or non-malicious user sends a high volume of concurrent authenticated requests to a Hono SSR application. Under sufficient concurrency, a request handler resumes after an await in an async JSX component and reads context data that was written by a concurrently executing request belonging to a different user, causing a response to be rendered with another user's session or profile data. … |
| Remediation | Upgrade Hono to version 4.12.27 or later, which resolves the per-request context isolation issue. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),
Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita
Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]
Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS
Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro
Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh
Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all
Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional SSE fields within t
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42326