Search for packages
| purl | pkg:npm/hono@4.0.8 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1mzm-bnvy-1ugp
Aliases: CVE-2026-24771 GHSA-9r54-q6cx-xmh5 |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue. |
Affected by 16 other vulnerabilities. |
|
VCID-2yns-6tp8-7kbn
Aliases: CVE-2025-62610 GHSA-m732-5p4w-x69g |
Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. This issue has been patched in version 4.10.2. |
Affected by 23 other vulnerabilities. |
|
VCID-36hs-1ykr-xbcs
Aliases: CVE-2026-29086 GHSA-5pq2-9x2x-5p6w |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. This issue has been patched in version 4.12.4. |
Affected by 12 other vulnerabilities. |
|
VCID-3d6m-3rha-dkc2
Aliases: CVE-2026-44456 GHSA-9vqf-7f2p-gf9v |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 200 instead of 413. This vulnerability is fixed in 4.12.16. |
Affected by 3 other vulnerabilities. |
|
VCID-6vuz-qwz8-h7ba
Aliases: CVE-2025-59139 GHSA-92vj-g62v-jqhh |
Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. The middleware previously prioritized the `Content-Length` header even when a `Transfer-Encoding: chunked` header was also included. According to the HTTP specification, `Content-Length` must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit. Most standards-compliant runtimes and reverse proxies may reject such malformed requests with `400 Bad Request`, so the practical impact depends on the runtime and deployment environment. If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests. The implementation has been updated to align with the HTTP specification, ensuring that `Transfer-Encoding` takes precedence over `Content-Length`. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately. |
Affected by 24 other vulnerabilities. |
|
VCID-7xab-d7wk-83c5
Aliases: CVE-2026-44459 GHSA-hm8q-7f3q-5f36 |
Affected by 0 other vulnerabilities. |
|
|
VCID-8dsh-qx5a-mkgz
Aliases: GHSA-gq3j-xvxp-8hrf |
Hono added timing comparison hardening in basicAuth and bearerAuth |
Affected by 15 other vulnerabilities. |
|
VCID-8vd9-z7ze-nqgf
Aliases: CVE-2026-22817 GHSA-f67f-6cw9-8mq4 |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4. |
Affected by 20 other vulnerabilities. |
|
VCID-9xtz-up2w-mqdh
Aliases: CVE-2026-39407 GHSA-wmmm-f939-6g9c |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12. |
Affected by 6 other vulnerabilities. |
|
VCID-af7v-p695-jqgr
Aliases: CVE-2024-43787 GHSA-rpfr-3m35-5vx5 |
Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware using upper-case form-like MIME type. This vulnerability is fixed in 4.5.8. |
Affected by 26 other vulnerabilities. |
|
VCID-ajhs-ueyw-pfbz
Aliases: GHSA-26pp-8wgv-hjvm |
Hono missing validation of cookie name on write path in setCookie() ## Summary Cookie names are not validated on the write path when using `setCookie()`, `serialize()`, or `serializeSigned()` to generate Set-Cookie headers. While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters. This results in inconsistent handling of cookie names between parsing (read path) and serialization (write path). ## Details When applications use `setCookie()`, `serialize()`, or `serializeSigned()` with a user-controlled cookie name, invalid values (e.g., containing control characters such as `\r` or `\n`) can be used to construct malformed `Set-Cookie` header values. For example: ``` Set-Cookie: legit X-Injected: evil=value ``` However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent. As a result, the reported header injection / response splitting behavior could not be reproduced in these environments. ## Impact Applications that pass untrusted input as the cookie name to `setCookie()`, `serialize()`, or `serializeSigned()` may encounter runtime errors due to invalid header values. In tested environments, malformed `Set-Cookie` headers are rejected before being sent, and the reported header injection behavior could not be reproduced. This issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability. |
Affected by 6 other vulnerabilities. |
|
VCID-dy2t-qdtz-d3a1
Aliases: GHSA-458j-xx4x-4375 |
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR ## Summary Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output. When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries and inject unintended HTML. ## Details When rendering JSX elements to HTML strings, attribute values are escaped, but attribute names (keys) were previously inserted into the output without validation. If an attribute name contains characters such as `"`, `>`, or whitespace, it can alter the structure of the generated HTML. For example, malformed attribute names can: * Break out of the current attribute and introduce unintended additional attributes * Break out of the current HTML tag and inject new elements into the output This issue arises when untrusted input (such as query parameters or form data) is used as JSX attribute keys during server-side rendering. ## Impact An attacker who can control attribute keys used in JSX rendering may inject unintended attributes or HTML elements into the generated output. This may lead to: * Injection of unexpected HTML attributes * Corruption of the HTML structure * Potential cross-site scripting (XSS) if combined with unsafe usage patterns This issue affects applications that pass untrusted input as JSX attribute keys during server-side rendering. |
Affected by 5 other vulnerabilities. |
|
VCID-e3g1-j76d-ebes
Aliases: CVE-2026-39410 GHSA-r5rp-j6wh-rvv4 |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12. |
Affected by 6 other vulnerabilities. |
|
VCID-e479-yqm3-wkg4
Aliases: CVE-2026-44455 GHSA-69xw-7hcm-h432 |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16. |
Affected by 3 other vulnerabilities. |
|
VCID-ewdf-92st-nkep
Aliases: CVE-2026-24472 GHSA-6wqw-2p9w-4vw4 |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue. |
Affected by 16 other vulnerabilities. |
|
VCID-f57r-9u5c-ebh4
Aliases: CVE-2026-24398 GHSA-r354-f388-2fhh |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue. |
Affected by 16 other vulnerabilities. |
|
VCID-hghf-rym3-3ufa
Aliases: GHSA-v8w9-8mx6-g223 |
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) |
Affected by 11 other vulnerabilities. |
|
VCID-mfkw-vtvw-bqas
Aliases: CVE-2026-44458 GHSA-qp7p-654g-cw7p |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. This vulnerability is fixed in 4.12.18. |
Affected by 0 other vulnerabilities. |
|
VCID-q2gc-djt2-a3e9
Aliases: CVE-2026-39408 GHSA-xf4j-xp2r-rqqx |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12. |
Affected by 6 other vulnerabilities. |
|
VCID-r571-x8es-83a4
Aliases: CVE-2024-48913 GHSA-2234-fmw7-43wr |
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe. This can allow an attacker to bypass CSRF protection implemented with Hono CSRF middleware. Version 4.6.5 fixes this issue. |
Affected by 25 other vulnerabilities. |
|
VCID-rcau-p84w-3bgs
Aliases: CVE-2026-29045 GHSA-q5qw-h33p-qvwr |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4. |
Affected by 12 other vulnerabilities. |
|
VCID-rdyz-9auw-qufx
Aliases: CVE-2024-32869 GHSA-3mpf-rcc7-5347 |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where `main.ts` is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for the issue. |
Affected by 27 other vulnerabilities. |
|
VCID-tqjc-xv4n-5yb4
Aliases: CVE-2026-29085 GHSA-p6xx-57qc-3wxr |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields. This issue has been patched in version 4.12.4. |
Affected by 12 other vulnerabilities. |
|
VCID-uuwp-p8jb-akfq
Aliases: GHSA-q7jf-gf43-6x6p |
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass |
Affected by 22 other vulnerabilities. |
|
VCID-uwfg-jrfw-s7cc
Aliases: CVE-2026-39409 GHSA-xpcf-pg52-r92g |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12. |
Affected by 6 other vulnerabilities. |
|
VCID-wm8v-yjdh-ubfu
Aliases: CVE-2026-24473 GHSA-w332-q679-j88p |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue. |
Affected by 16 other vulnerabilities. |
|
VCID-xymw-92x9-63fb
Aliases: CVE-2026-22818 GHSA-3vhc-576x-3qv4 |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. This vulnerability is fixed in 4.11.4. |
Affected by 20 other vulnerabilities. |
|
VCID-zf4g-8fjt-qke8
Aliases: CVE-2026-44457 GHSA-p77w-8qqv-26rm |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||