Search for packages
| purl | pkg:npm/hono@4.12.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3d6m-3rha-dkc2
Aliases: CVE-2026-44456 GHSA-9vqf-7f2p-gf9v |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 200 instead of 413. This vulnerability is fixed in 4.12.16. |
Affected by 3 other vulnerabilities. |
|
VCID-7xab-d7wk-83c5
Aliases: CVE-2026-44459 GHSA-hm8q-7f3q-5f36 |
Affected by 0 other vulnerabilities. |
|
|
VCID-9xtz-up2w-mqdh
Aliases: CVE-2026-39407 GHSA-wmmm-f939-6g9c |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12. |
Affected by 6 other vulnerabilities. |
|
VCID-ajhs-ueyw-pfbz
Aliases: GHSA-26pp-8wgv-hjvm |
Hono missing validation of cookie name on write path in setCookie() ## Summary Cookie names are not validated on the write path when using `setCookie()`, `serialize()`, or `serializeSigned()` to generate Set-Cookie headers. While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters. This results in inconsistent handling of cookie names between parsing (read path) and serialization (write path). ## Details When applications use `setCookie()`, `serialize()`, or `serializeSigned()` with a user-controlled cookie name, invalid values (e.g., containing control characters such as `\r` or `\n`) can be used to construct malformed `Set-Cookie` header values. For example: ``` Set-Cookie: legit X-Injected: evil=value ``` However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent. As a result, the reported header injection / response splitting behavior could not be reproduced in these environments. ## Impact Applications that pass untrusted input as the cookie name to `setCookie()`, `serialize()`, or `serializeSigned()` may encounter runtime errors due to invalid header values. In tested environments, malformed `Set-Cookie` headers are rejected before being sent, and the reported header injection behavior could not be reproduced. This issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability. |
Affected by 6 other vulnerabilities. |
|
VCID-dy2t-qdtz-d3a1
Aliases: GHSA-458j-xx4x-4375 |
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR ## Summary Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output. When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries and inject unintended HTML. ## Details When rendering JSX elements to HTML strings, attribute values are escaped, but attribute names (keys) were previously inserted into the output without validation. If an attribute name contains characters such as `"`, `>`, or whitespace, it can alter the structure of the generated HTML. For example, malformed attribute names can: * Break out of the current attribute and introduce unintended additional attributes * Break out of the current HTML tag and inject new elements into the output This issue arises when untrusted input (such as query parameters or form data) is used as JSX attribute keys during server-side rendering. ## Impact An attacker who can control attribute keys used in JSX rendering may inject unintended attributes or HTML elements into the generated output. This may lead to: * Injection of unexpected HTML attributes * Corruption of the HTML structure * Potential cross-site scripting (XSS) if combined with unsafe usage patterns This issue affects applications that pass untrusted input as JSX attribute keys during server-side rendering. |
Affected by 5 other vulnerabilities. |
|
VCID-e3g1-j76d-ebes
Aliases: CVE-2026-39410 GHSA-r5rp-j6wh-rvv4 |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12. |
Affected by 6 other vulnerabilities. |
|
VCID-e479-yqm3-wkg4
Aliases: CVE-2026-44455 GHSA-69xw-7hcm-h432 |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16. |
Affected by 3 other vulnerabilities. |
|
VCID-hghf-rym3-3ufa
Aliases: GHSA-v8w9-8mx6-g223 |
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) |
Affected by 11 other vulnerabilities. |
|
VCID-mfkw-vtvw-bqas
Aliases: CVE-2026-44458 GHSA-qp7p-654g-cw7p |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. This vulnerability is fixed in 4.12.18. |
Affected by 0 other vulnerabilities. |
|
VCID-q2gc-djt2-a3e9
Aliases: CVE-2026-39408 GHSA-xf4j-xp2r-rqqx |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12. |
Affected by 6 other vulnerabilities. |
|
VCID-uwfg-jrfw-s7cc
Aliases: CVE-2026-39409 GHSA-xpcf-pg52-r92g |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12. |
Affected by 6 other vulnerabilities. |
|
VCID-zf4g-8fjt-qke8
Aliases: CVE-2026-44457 GHSA-p77w-8qqv-26rm |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||