Skip to main content

Hono EUVDEUVD-2026-44631

| CVE-2026-56764 MEDIUM
Observable Timing Discrepancy (CWE-208)
2026-07-15 VulnCheck GHSA-98q5-3v5r-qvfh
6.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

Network-reachable timing oracle requires low-jitter conditions for reliable exploitation (AC:H); no privileges needed to send auth probes (PR:N); impact limited to potential credential inference with no integrity or availability consequence.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 13:03 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 12:37 vuln.today
Analysis Generated
Jul 15, 2026 - 12:37 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 21 npm packages depend on hono (21 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.11.10.

DescriptionCVE.org

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing measurements.

AnalysisAI

Credential inference via timing side-channel is possible in Hono before 4.11.10 when the built-in basicAuth or bearerAuth middlewares are in use, due to JavaScript's short-circuit === string equality operator being used inside the timingSafeEqual function for hash comparison. Because === terminates on the first differing character, response times vary slightly based on how many leading characters of a credential match the stored hash, enabling an attacker to recover credentials one character at a time through statistical timing analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Hono app using basicAuth or bearerAuth middleware
Delivery
Send high-volume auth requests with systematically varied credentials
Exploit
Measure per-request response time with sub-millisecond precision
Execution
Average measurements across many requests to suppress noise
Persist
Infer matching characters via timing differential per position
Impact
Reconstruct full valid credential from timing oracle

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application actively uses Hono's built-in `basicAuth` or `bearerAuth` middleware - applications using custom authentication handlers are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 with AV:N/AC:H/AT:P/VC:L accurately reflects the practical difficulty of exploiting a timing side-channel over a network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a Hono application protected by `basicAuth` sends thousands of authentication requests with systematically varied credentials - holding all characters constant except one position - and uses statistical averaging across response times to identify which character at that position produces the longest (latest-terminating) comparison. By iterating across each character position, the attacker reconstructs the valid credential one character at a time, a process feasible in low-latency environments such as internal APIs or co-located cloud services where network jitter is below the timing differential. …
Remediation Upgrade the `hono` npm package to version 4.11.10 or later; this is the vendor-released patch per the GHSA advisory at https://github.com/honojs/hono/security/advisories/GHSA-gq3j-xvxp-8hrf, with the fix implemented in commit 91def7cab654bad5eecc9270e6620d577971ff5e. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Hono

View all
CVE-2024-48913 MEDIUM POC
5.9 Oct 15

Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by

CVE-2024-32869 MEDIUM POC
5.3 Apr 23

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),

CVE-2024-43787 MEDIUM POC
5.0 Aug 22

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),

CVE-2023-50710 MEDIUM POC
4.3 Dec 14

Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita

CVE-2026-27700 HIGH
8.2 Feb 25

Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]

CVE-2026-22818 HIGH
8.2 Jan 13

Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS

CVE-2026-22817 HIGH
8.2 Jan 13

Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that

CVE-2026-29045 HIGH
7.5 Mar 04

Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew

CVE-2020-27217 HIGH
7.5 Nov 13

In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro

CVE-2025-71381 MEDIUM
6.9 Jun 30

Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh

CVE-2026-56762 MEDIUM
6.9 Jun 23

Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all

CVE-2026-59896 MEDIUM
6.5 Jul 08

Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per

Share

EUVD-2026-44631 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy