Hono
Monthly
Credential inference via timing side-channel is possible in Hono before 4.11.10 when the built-in `basicAuth` or `bearerAuth` middlewares are in use, due to JavaScript's short-circuit `===` string equality operator being used inside the `timingSafeEqual` function for hash comparison. Because `===` terminates on the first differing character, response times vary slightly based on how many leading characters of a credential match the stored hash, enabling an attacker to recover credentials one character at a time through statistical timing analysis. No public exploit has been identified and the vendor GHSA advisory explicitly characterizes this as a hardening improvement with low practical exploitability outside highly controlled, low-jitter network environments.
Prototype pollution in Hono before 4.12.7 enables unauthenticated remote attackers to inject properties into JavaScript's Object.prototype by submitting crafted form field names containing '__proto__' keys when the 'dot' option is enabled in parseBody. Exploitation is conditional - it further requires that application code merges parsed body output into plain JavaScript objects using unsafe merge patterns - but when both conditions are present, attackers can silently alter inherited object behavior across the entire runtime, potentially bypassing authorization checks or leaking sensitive data. No public exploit code or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 6.3 reflects limited impact and the attack prerequisite of the non-default dot option being enabled.
Server-side rendering XSS in Hono's hono/css module (versions 4.0.0 through 4.12.26) allows injection of arbitrary HTML markup by exploiting the cx() function's failure to HTML-escape input before marking it as safe. When untrusted data flows into a cx() call used in a JSX class attribute during SSR, attackers can break out of the attribute context and inject arbitrary markup or script into the rendered page delivered to victims. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 6.1 Medium score with Scope:Changed reflects the cross-context server-to-browser impact.
Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per request, enabling cross-request data leakage under concurrent load. When async components yield at an await boundary, the shared context store can be overwritten by a concurrent in-flight request, causing createContext, useContext, jsxRenderer, or useRequestContext data from one user's session to bleed into another user's response. No public exploit has been identified at time of analysis, but the C:H CVSS impact rating reflects that leaked context values frequently carry sensitive per-user material such as authentication state, session tokens, or profile data.
Header de-duplication logic in Hono's AWS API Gateway v1 adapter silently drops distinct repeated header values because it uses substring comparison rather than exact string equality, meaning a value like '10.0.0.1' would incorrectly suppress '10.0.0.10'. Middleware or application logic relying on a complete X-Forwarded-For chain, rate limiting counters, audit trail integrity, or proxy-chain trust validation receives a truncated view of the request. Affected versions span 4.3.3 through 4.12.26; no public exploit identified at time of analysis, though the GitHub advisory confirms the issue and a fix is released in v4.12.27.
Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. When the CORS `origin` option is configured to anything other than wildcard `*`, the middleware incorrectly promotes client-supplied `Vary` header values from the incoming request directly into the HTTP response - a behavior violating the HTTP specification, which reserves `Vary` as a server-managed response header. In environments using shared caches, CDNs, or reverse proxies, an attacker can craft requests with arbitrary `Vary` values to poison cache entries, potentially causing incorrect CORS policies to be enforced for legitimate downstream users. No public exploit code and no CISA KEV listing have been identified at time of analysis.
HTML injection in Hono's JSX server-side rendering engine (versions before 4.12.14) allows network-accessible attackers to corrupt rendered HTML output by supplying malformed attribute names containing characters such as quotes or angle brackets. Applications that pass untrusted external input - query parameters, form data, or other user-controlled values - directly as JSX attribute keys during SSR are affected. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis; however, successful exploitation against vulnerable application patterns can escalate to cross-site scripting if the injected HTML includes event handlers processed by the victim's browser.
Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions allows user-controlled input containing CRLF control characters to produce malformed Set-Cookie headers. Affected are all Hono npm releases before 4.12.12. In practice, modern runtimes including Node.js and Cloudflare Workers reject the malformed headers before they are transmitted, meaning confirmed impact is availability loss (runtime errors crashing the response) rather than header injection or response splitting - though theoretical risk exists on less-strict runtimes. No active exploitation is confirmed, and no public exploit code has been identified.
Hono's jwt and jwk middleware components fail to enforce the Bearer scheme in the Authorization header, allowing any two-part header value - such as 'Basic <token>' or 'Token <token>' - to pass JWT verification identically to a correctly formed Bearer request. All Hono releases prior to 4.12.21 on any supported JavaScript runtime are affected when these middlewares protect routes. No public exploit identified at time of analysis, and this is not listed in CISA KEV; real-world exploitation requires the attacker to already possess a valid, properly signed JWT.
HTTP response header injection in Hono's cookie serialize() function allows unauthenticated remote attackers to inject arbitrary Set-Cookie attributes when an application passes user-controlled input into the sameSite or priority cookie options. All Hono releases prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit code exists at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and network-accessible vector make it exploitable wherever the affected code path is reachable by user-supplied data.
Path prefix stripping in Hono's app.mount() API exposes mounted sub-applications to incorrect routing due to a raw-vs-decoded URL path inconsistency, potentially allowing unauthenticated remote attackers to reach unintended endpoints and disclose protected information. All Hono versions prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit or CISA KEV listing exists at time of analysis; however, the CVSS vector AV:N/AC:L/PR:N/UI:N and the 'Information Disclosure / Request Smuggling' classification make this a meaningful priority for any deployment that relies on mount-prefix path logic for access segregation.
Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional cookie attributes if untrusted input was passed into the (CVSS 5.4).
Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional SSE fields within the same event frame if untrusted inpu (CVSS 6.5).
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middleware protections due to inconsistent URL decoding between the router and file serving components. An unauthenticated remote attacker can exploit this mismatch by encoding slashes (%2F) in request paths to access protected static resources that should be restricted by middleware rules. A patch is available in version 4.12.4 and later.
Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]
Hono's ErrorBoundary JSX component before version 4.11.7 fails to properly sanitize user-controlled input, allowing attackers to inject and execute arbitrary JavaScript in victims' browsers through reflected XSS. The vulnerability requires user interaction and network access but can compromise the confidentiality and integrity of affected applications. A patch is available in version 4.11.7.
Hono versions before 4.11.7 contain an information disclosure vulnerability in the static file serving middleware for Cloudflare Workers that allows unauthenticated remote attackers to read sensitive environment keys through path traversal. The lack of proper input validation enables attackers to access internal asset keys that should remain protected. A patch is available in version 4.11.7 and later.
Hono versions up to 4.11.7 contains a vulnerability that allows attackers to private or authenticated responses being cached and subsequently exposed to unau (CVSS 5.3).
Hono's IP Restriction Middleware fails to properly validate IPv4 octet ranges, allowing attackers to bypass IP-based access controls by submitting malformed addresses with values exceeding 255. This affects all users relying on Hono's IP filtering mechanisms for authentication or authorization. A patch is available in version 4.11.7 and later.
Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS verification middleware, enabling attackers to forge valid tokens when the selected JWK lacks an explicit algorithm definition. An unauthenticated remote attacker can exploit this to bypass JWT signature verification and gain unauthorized access to affected applications. The vulnerability has been patched in version 4.11.4, which now requires explicit algorithm allowlists instead of deriving algorithms from untrusted JWT headers.
Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that allows attackers to forge authentication tokens when the JWK lacks explicit algorithm specification. An unauthenticated remote attacker can exploit this by manipulating the JWT header's alg value to bypass signature verification in affected configurations. The vulnerability is resolved in version 4.11.4, which now requires explicit algorithm specification to prevent header-driven algorithm confusion.
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Hono is a Web application framework that provides support for any JavaScript runtime. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Credential inference via timing side-channel is possible in Hono before 4.11.10 when the built-in `basicAuth` or `bearerAuth` middlewares are in use, due to JavaScript's short-circuit `===` string equality operator being used inside the `timingSafeEqual` function for hash comparison. Because `===` terminates on the first differing character, response times vary slightly based on how many leading characters of a credential match the stored hash, enabling an attacker to recover credentials one character at a time through statistical timing analysis. No public exploit has been identified and the vendor GHSA advisory explicitly characterizes this as a hardening improvement with low practical exploitability outside highly controlled, low-jitter network environments.
Prototype pollution in Hono before 4.12.7 enables unauthenticated remote attackers to inject properties into JavaScript's Object.prototype by submitting crafted form field names containing '__proto__' keys when the 'dot' option is enabled in parseBody. Exploitation is conditional - it further requires that application code merges parsed body output into plain JavaScript objects using unsafe merge patterns - but when both conditions are present, attackers can silently alter inherited object behavior across the entire runtime, potentially bypassing authorization checks or leaking sensitive data. No public exploit code or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 6.3 reflects limited impact and the attack prerequisite of the non-default dot option being enabled.
Server-side rendering XSS in Hono's hono/css module (versions 4.0.0 through 4.12.26) allows injection of arbitrary HTML markup by exploiting the cx() function's failure to HTML-escape input before marking it as safe. When untrusted data flows into a cx() call used in a JSX class attribute during SSR, attackers can break out of the attribute context and inject arbitrary markup or script into the rendered page delivered to victims. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 6.1 Medium score with Scope:Changed reflects the cross-context server-to-browser impact.
Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per request, enabling cross-request data leakage under concurrent load. When async components yield at an await boundary, the shared context store can be overwritten by a concurrent in-flight request, causing createContext, useContext, jsxRenderer, or useRequestContext data from one user's session to bleed into another user's response. No public exploit has been identified at time of analysis, but the C:H CVSS impact rating reflects that leaked context values frequently carry sensitive per-user material such as authentication state, session tokens, or profile data.
Header de-duplication logic in Hono's AWS API Gateway v1 adapter silently drops distinct repeated header values because it uses substring comparison rather than exact string equality, meaning a value like '10.0.0.1' would incorrectly suppress '10.0.0.10'. Middleware or application logic relying on a complete X-Forwarded-For chain, rate limiting counters, audit trail integrity, or proxy-chain trust validation receives a truncated view of the request. Affected versions span 4.3.3 through 4.12.26; no public exploit identified at time of analysis, though the GitHub advisory confirms the issue and a fix is released in v4.12.27.
Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. When the CORS `origin` option is configured to anything other than wildcard `*`, the middleware incorrectly promotes client-supplied `Vary` header values from the incoming request directly into the HTTP response - a behavior violating the HTTP specification, which reserves `Vary` as a server-managed response header. In environments using shared caches, CDNs, or reverse proxies, an attacker can craft requests with arbitrary `Vary` values to poison cache entries, potentially causing incorrect CORS policies to be enforced for legitimate downstream users. No public exploit code and no CISA KEV listing have been identified at time of analysis.
HTML injection in Hono's JSX server-side rendering engine (versions before 4.12.14) allows network-accessible attackers to corrupt rendered HTML output by supplying malformed attribute names containing characters such as quotes or angle brackets. Applications that pass untrusted external input - query parameters, form data, or other user-controlled values - directly as JSX attribute keys during SSR are affected. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis; however, successful exploitation against vulnerable application patterns can escalate to cross-site scripting if the injected HTML includes event handlers processed by the victim's browser.
Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions allows user-controlled input containing CRLF control characters to produce malformed Set-Cookie headers. Affected are all Hono npm releases before 4.12.12. In practice, modern runtimes including Node.js and Cloudflare Workers reject the malformed headers before they are transmitted, meaning confirmed impact is availability loss (runtime errors crashing the response) rather than header injection or response splitting - though theoretical risk exists on less-strict runtimes. No active exploitation is confirmed, and no public exploit code has been identified.
Hono's jwt and jwk middleware components fail to enforce the Bearer scheme in the Authorization header, allowing any two-part header value - such as 'Basic <token>' or 'Token <token>' - to pass JWT verification identically to a correctly formed Bearer request. All Hono releases prior to 4.12.21 on any supported JavaScript runtime are affected when these middlewares protect routes. No public exploit identified at time of analysis, and this is not listed in CISA KEV; real-world exploitation requires the attacker to already possess a valid, properly signed JWT.
HTTP response header injection in Hono's cookie serialize() function allows unauthenticated remote attackers to inject arbitrary Set-Cookie attributes when an application passes user-controlled input into the sameSite or priority cookie options. All Hono releases prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit code exists at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and network-accessible vector make it exploitable wherever the affected code path is reachable by user-supplied data.
Path prefix stripping in Hono's app.mount() API exposes mounted sub-applications to incorrect routing due to a raw-vs-decoded URL path inconsistency, potentially allowing unauthenticated remote attackers to reach unintended endpoints and disclose protected information. All Hono versions prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit or CISA KEV listing exists at time of analysis; however, the CVSS vector AV:N/AC:L/PR:N/UI:N and the 'Information Disclosure / Request Smuggling' classification make this a meaningful priority for any deployment that relies on mount-prefix path logic for access segregation.
Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional cookie attributes if untrusted input was passed into the (CVSS 5.4).
Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional SSE fields within the same event frame if untrusted inpu (CVSS 6.5).
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middleware protections due to inconsistent URL decoding between the router and file serving components. An unauthenticated remote attacker can exploit this mismatch by encoding slashes (%2F) in request paths to access protected static resources that should be restricted by middleware rules. A patch is available in version 4.12.4 and later.
Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]
Hono's ErrorBoundary JSX component before version 4.11.7 fails to properly sanitize user-controlled input, allowing attackers to inject and execute arbitrary JavaScript in victims' browsers through reflected XSS. The vulnerability requires user interaction and network access but can compromise the confidentiality and integrity of affected applications. A patch is available in version 4.11.7.
Hono versions before 4.11.7 contain an information disclosure vulnerability in the static file serving middleware for Cloudflare Workers that allows unauthenticated remote attackers to read sensitive environment keys through path traversal. The lack of proper input validation enables attackers to access internal asset keys that should remain protected. A patch is available in version 4.11.7 and later.
Hono versions up to 4.11.7 contains a vulnerability that allows attackers to private or authenticated responses being cached and subsequently exposed to unau (CVSS 5.3).
Hono's IP Restriction Middleware fails to properly validate IPv4 octet ranges, allowing attackers to bypass IP-based access controls by submitting malformed addresses with values exceeding 255. This affects all users relying on Hono's IP filtering mechanisms for authentication or authorization. A patch is available in version 4.11.7 and later.
Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS verification middleware, enabling attackers to forge valid tokens when the selected JWK lacks an explicit algorithm definition. An unauthenticated remote attacker can exploit this to bypass JWT signature verification and gain unauthorized access to affected applications. The vulnerability has been patched in version 4.11.4, which now requires explicit algorithm allowlists instead of deriving algorithms from untrusted JWT headers.
Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that allows attackers to forge authentication tokens when the JWK lacks explicit algorithm specification. An unauthenticated remote attacker can exploit this by manipulating the JWT header's alg value to bypass signature verification in affected configurations. The vulnerability is resolved in version 4.11.4, which now requires explicit algorithm specification to prevent header-driven algorithm confusion.
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Hono is a Web application framework that provides support for any JavaScript runtime. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.