Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/hono@4.12.2
purl pkg:npm/hono@4.12.2
Next non-vulnerable version 4.12.18
Latest non-vulnerable version 4.12.21
Risk 4.0
Vulnerabilities affecting this package (15)
Vulnerability Summary Fixed by
VCID-36hs-1ykr-xbcs
Aliases:
CVE-2026-29086
GHSA-5pq2-9x2x-5p6w
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.
4.12.4
Affected by 12 other vulnerabilities.
VCID-3d6m-3rha-dkc2
Aliases:
CVE-2026-44456
GHSA-9vqf-7f2p-gf9v
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 200 instead of 413. This vulnerability is fixed in 4.12.16.
4.12.16
Affected by 3 other vulnerabilities.
VCID-7xab-d7wk-83c5
Aliases:
CVE-2026-44459
GHSA-hm8q-7f3q-5f36
4.12.18
Affected by 0 other vulnerabilities.
VCID-9xtz-up2w-mqdh
Aliases:
CVE-2026-39407
GHSA-wmmm-f939-6g9c
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12.
4.12.12
Affected by 6 other vulnerabilities.
VCID-ajhs-ueyw-pfbz
Aliases:
GHSA-26pp-8wgv-hjvm
Hono missing validation of cookie name on write path in setCookie() ## Summary Cookie names are not validated on the write path when using `setCookie()`, `serialize()`, or `serializeSigned()` to generate Set-Cookie headers. While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters. This results in inconsistent handling of cookie names between parsing (read path) and serialization (write path). ## Details When applications use `setCookie()`, `serialize()`, or `serializeSigned()` with a user-controlled cookie name, invalid values (e.g., containing control characters such as `\r` or `\n`) can be used to construct malformed `Set-Cookie` header values. For example: ``` Set-Cookie: legit X-Injected: evil=value ``` However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent. As a result, the reported header injection / response splitting behavior could not be reproduced in these environments. ## Impact Applications that pass untrusted input as the cookie name to `setCookie()`, `serialize()`, or `serializeSigned()` may encounter runtime errors due to invalid header values. In tested environments, malformed `Set-Cookie` headers are rejected before being sent, and the reported header injection behavior could not be reproduced. This issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability.
4.12.12
Affected by 6 other vulnerabilities.
VCID-dy2t-qdtz-d3a1
Aliases:
GHSA-458j-xx4x-4375
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR ## Summary Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output. When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries and inject unintended HTML. ## Details When rendering JSX elements to HTML strings, attribute values are escaped, but attribute names (keys) were previously inserted into the output without validation. If an attribute name contains characters such as `"`, `>`, or whitespace, it can alter the structure of the generated HTML. For example, malformed attribute names can: * Break out of the current attribute and introduce unintended additional attributes * Break out of the current HTML tag and inject new elements into the output This issue arises when untrusted input (such as query parameters or form data) is used as JSX attribute keys during server-side rendering. ## Impact An attacker who can control attribute keys used in JSX rendering may inject unintended attributes or HTML elements into the generated output. This may lead to: * Injection of unexpected HTML attributes * Corruption of the HTML structure * Potential cross-site scripting (XSS) if combined with unsafe usage patterns This issue affects applications that pass untrusted input as JSX attribute keys during server-side rendering.
4.12.14
Affected by 5 other vulnerabilities.
VCID-e3g1-j76d-ebes
Aliases:
CVE-2026-39410
GHSA-r5rp-j6wh-rvv4
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.
4.12.12
Affected by 6 other vulnerabilities.
VCID-e479-yqm3-wkg4
Aliases:
CVE-2026-44455
GHSA-69xw-7hcm-h432
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16.
4.12.16
Affected by 3 other vulnerabilities.
VCID-hghf-rym3-3ufa
Aliases:
GHSA-v8w9-8mx6-g223
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })
4.12.7
Affected by 11 other vulnerabilities.
VCID-mfkw-vtvw-bqas
Aliases:
CVE-2026-44458
GHSA-qp7p-654g-cw7p
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. This vulnerability is fixed in 4.12.18.
4.12.18
Affected by 0 other vulnerabilities.
VCID-q2gc-djt2-a3e9
Aliases:
CVE-2026-39408
GHSA-xf4j-xp2r-rqqx
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12.
4.12.12
Affected by 6 other vulnerabilities.
VCID-rcau-p84w-3bgs
Aliases:
CVE-2026-29045
GHSA-q5qw-h33p-qvwr
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.
4.12.4
Affected by 12 other vulnerabilities.
VCID-tqjc-xv4n-5yb4
Aliases:
CVE-2026-29085
GHSA-p6xx-57qc-3wxr
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.
4.12.4
Affected by 12 other vulnerabilities.
VCID-uwfg-jrfw-s7cc
Aliases:
CVE-2026-39409
GHSA-xpcf-pg52-r92g
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12.
4.12.12
Affected by 6 other vulnerabilities.
VCID-zf4g-8fjt-qke8
Aliases:
CVE-2026-44457
GHSA-p77w-8qqv-26rm
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18.
4.12.18
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-g33z-exy1-63gh Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue. CVE-2026-27700
GHSA-xh87-mx6m-69f3

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T22:25:18.993231+00:00 GitLab Importer Affected by VCID-mfkw-vtvw-bqas https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-44458.yml 38.6.0
2026-06-12T22:25:16.322061+00:00 GitLab Importer Affected by VCID-7xab-d7wk-83c5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-44459.yml 38.6.0
2026-06-12T22:25:14.070823+00:00 GitLab Importer Affected by VCID-zf4g-8fjt-qke8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-44457.yml 38.6.0
2026-06-12T22:21:56.858028+00:00 GitLab Importer Affected by VCID-3d6m-3rha-dkc2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-44456.yml 38.6.0
2026-06-12T22:21:47.966660+00:00 GitLab Importer Affected by VCID-e479-yqm3-wkg4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-44455.yml 38.6.0
2026-06-12T22:08:41.091651+00:00 GitLab Importer Affected by VCID-dy2t-qdtz-d3a1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/GHSA-458j-xx4x-4375.yml 38.6.0
2026-06-12T21:57:35.955962+00:00 GitLab Importer Affected by VCID-9xtz-up2w-mqdh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-39407.yml 38.6.0
2026-06-12T21:56:44.659937+00:00 GitLab Importer Affected by VCID-q2gc-djt2-a3e9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-39408.yml 38.6.0
2026-06-12T21:56:33.223723+00:00 GitLab Importer Affected by VCID-uwfg-jrfw-s7cc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-39409.yml 38.6.0
2026-06-12T21:56:16.591940+00:00 GitLab Importer Affected by VCID-e3g1-j76d-ebes https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-39410.yml 38.6.0
2026-06-12T21:56:12.549982+00:00 GitLab Importer Affected by VCID-ajhs-ueyw-pfbz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/GHSA-26pp-8wgv-hjvm.yml 38.6.0
2026-06-12T21:22:10.851987+00:00 GitLab Importer Affected by VCID-hghf-rym3-3ufa https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/GHSA-v8w9-8mx6-g223.yml 38.6.0
2026-06-12T21:17:07.264092+00:00 GitLab Importer Affected by VCID-36hs-1ykr-xbcs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-29086.yml 38.6.0
2026-06-12T21:17:05.225076+00:00 GitLab Importer Affected by VCID-tqjc-xv4n-5yb4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-29085.yml 38.6.0
2026-06-12T21:17:03.319156+00:00 GitLab Importer Affected by VCID-rcau-p84w-3bgs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-29045.yml 38.6.0
2026-06-12T15:50:49.676724+00:00 GitLab Importer Fixing VCID-g33z-exy1-63gh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hono/CVE-2026-27700.yml 38.6.0
2026-06-12T07:48:38.833641+00:00 GithubOSV Importer Fixing VCID-g33z-exy1-63gh https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-xh87-mx6m-69f3/GHSA-xh87-mx6m-69f3.json 38.6.0
2026-06-11T20:38:19.074263+00:00 GHSA Importer Fixing VCID-g33z-exy1-63gh https://github.com/advisories/GHSA-xh87-mx6m-69f3 38.6.0