chore(deps): update dependency hono to v4.12.18 [security]#83
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
chore(deps): update dependency hono to v4.12.18 [security]#83renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
754eb4e to
f73ff76
Compare
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
f73ff76 to
6ab078f
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
6ab078f to
4a5c266
Compare
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
4a5c266 to
bf1c04f
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
bf1c04f to
6c5debe
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
6c5debe to
3f272b9
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
2 times, most recently
from
3f272b9 to
917384e
Compare
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
917384e to
f6dcb97
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
f6dcb97 to
d235fcf
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
2 times, most recently
from
d235fcf to
dfd81b5
Compare
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
dfd81b5 to
11eb2dc
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-hono-vulnerability
branch
from
11eb2dc to
1ff3d1f
Compare
renovate
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.10.7→4.12.18Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass
CVE-2026-22817 / GHSA-f67f-6cw9-8mq4
More information
Details
Summary
A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s
algvalue to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted.Details
When verifying JWTs using JWKs or a JWKS endpoint, the middleware selected the verification algorithm based on the JWK’s
algfield if present, but otherwise fell back to thealgvalue provided in the unverified JWT header.Because the
algfield in a JWK is optional and often omitted in real-world JWKS configurations, this behavior could allow an attacker to control the algorithm used for verification. In some environments, this may lead to authentication or authorizationbypass through crafted tokens.
The practical impact depends on application configuration, including which algorithms are accepted and how JWTs are used for authorization decisions.
Impact
In affected configurations, an attacker may be able to forge JWTs with attacker-controlled claims, potentially resulting in authentication or authorization bypass.
Applications that do not use the JWK/JWKS middleware, do not rely on JWT-based authentication, or explicitly restrict allowed algorithms are not affected.
Resolution
Update to the latest patched release.
Breaking change:
As part of this fix, the JWT middleware now requires the
algoption to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values.Applications upgrading must update their configuration accordingly.
Before (vulnerable configuration)
After (patched configuration)
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
CVE-2026-22818 / GHSA-3vhc-576x-3qv4
More information
Details
Summary
A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted.
Details
When verifying JWTs using JWKs or a JWKS endpoint, the middleware selected the verification algorithm based on the JWK’s
algfield if present. If the JWK did not specify an algorithm, the middleware fell back to using thealgvalue provided in the unverified JWT header.Because the
algfield in a JWK is optional and commonly omitted in real-world JWKS configurations, this behavior could allow an attacker to influence which algorithm is used for verification. In some environments, this may result in authentication or authorization bypass through crafted JWTs.The practical impact depends on application configuration, including which algorithms are accepted and how JWTs are used to make authorization decisions.
Impact
In affected configurations, an attacker may be able to forge JWTs with attacker-controlled claims, potentially leading to authentication or authorization bypass.
Applications that do not use the JWK/JWKS middleware, do not rely on JWT-based authentication, or explicitly restrict allowed algorithms are not affected.
Resolution
Update to the latest patched release.
Breaking change:
The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values.
Instead, callers must explicitly specify which asymmetric algorithms are permitted, and only tokens signed with those algorithms will be accepted. This prevents JWT algorithm confusion by ensuring that algorithm selection is fully controlled by application
configuration.
As part of this fix, the
algoption is now required when using the JWK/JWKS middleware, and symmetric (HS*) algorithms are no longer accepted in this context.Before (vulnerable configuration)
After (patched configuration)
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
CVE-2026-24398 / GHSA-r354-f388-2fhh
More information
Details
Summary
IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The
IPV4_REGEXpattern andconvertIPv4ToBinaryfunction insrc/utils/ipaddr.tsdo not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls.Details
The vulnerability exists in two components:
IPV4_REGEX (/^[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}$/)accepts octet values greater than 255 (e.g.,999).convertIPv4ToBinaryfunction does not validate octet ranges before performing bitwise operations. When an octet exceeds 255, it overflows into adjacent octets during the bit-shift calculation.For example, the IP address
1.2.2.355is accepted and converts to the same binary value as 1.2.3.99:355=256 + 99=0x163(1 << 24) + (2 << 16) + (2 << 8) + 355=0x01020363=1.2.3.99Impact
An attacker can bypass IP-based restrictions by crafting malformed IP addresses:
1.2.3.0/24is blocked, an attacker can use1.2.2.355(or similar) to bypass the restriction.This is exploitable when the application relies on client-provided IP addresses (e.g.,
X-Forwarded-For header) for access control decisions.Affected Components
src/utils/ipaddr.ts:IPV4_REGEX,convertIPv4ToBinary,distinctRemoteAddrSeverity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
CVE-2026-24472 / GHSA-6wqw-2p9w-4vw4
More information
Details
Summary
Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as
Cache-Control: privateorCache-Control: no-store, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users.Details
The vulnerability exists in the cache decision logic of Cache Middleware. When determining whether a response should be cached, the middleware does not take HTTP cache control semantics into account and may cache responses that are explicitly marked as private by the application. While some runtimes, such as Cloudflare Workers, enforce cache control restrictions at the platform level, other runtimes including Deno, Bun, and Node.js rely on the middleware’s behavior. As a result, applications running on these runtimes may unintentionally cache sensitive responses.
Impact
This issue can lead to Web Cache Deception and information disclosure. If an authenticated user accesses an endpoint that returns user-specific or sensitive data and the response is cached despite being marked as private, subsequent unauthenticated requests may receive the cached response. This may result in the exposure of personally identifiable information or session-related data. The impact is limited to applications that use the hono/cache middleware and rely on it to correctly honor HTTP cache control directives.
Affected Components
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
CVE-2026-24473 / GHSA-w332-q679-j88p
More information
Details
Summary
Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys.
Details
The vulnerability exists in the serve-static middleware used with the Cloudflare Workers adapter. When serving static assets, the middleware does not sufficiently validate or restrict user-supplied paths before resolving them against the Workers asset storage.
As a result, an attacker may craft requests that access arbitrary keys beyond the intended static asset scope. This issue only affects applications running on Cloudflare Workers that use Serve static Middleware with user-controllable request paths.
Impact
This vulnerability may lead to information disclosure by allowing unauthorized access to internal assets or data stored in the Workers environment. The exposed data is limited to readable asset keys and does not allow modification of stored data or execution of arbitrary code.
The impact is limited to applications that use Serve static Middleware in the Cloudflare Workers adapter and rely on it to safely handle untrusted request paths.
Affected Components
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono vulnerable to XSS through ErrorBoundary component
CVE-2026-24771 / GHSA-9r54-q6cx-xmh5
More information
Details
Summary
A Cross-Site Scripting (XSS) vulnerability exists in the
ErrorBoundarycomponent of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser.Details
The issue is in the
ErrorBoundarycomponent (src/jsx/components.ts).ErrorBoundarypreviously forced certain rendered output paths to be treated as raw HTML, bypassing the library's default escaping behavior. This could result in unescaped rendering when developers pass user-controlled strings directly as children, or when fallbackRender returns user-controlled strings (for example, reflecting error messages that contain attacker input).This vulnerability is only exploitable when an application renders untrusted user input within
ErrorBoundarywithout appropriate escaping or sanitization.Impact
Successful exploitation may allow attackers to execute arbitrary JavaScript in the victim’s browser (reflected XSS). Depending on the application context, this can lead to actions such as session compromise, data exfiltration, or performing unauthorized actions as the victim.
Affected Components
ErrorBoundarycomponentSeverity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono added timing comparison hardening in basicAuth and bearerAuth
GHSA-gq3j-xvxp-8hrf
More information
Details
Summary
The
basicAuthandbearerAuthmiddlewares previously used a comparison that was not fully timing-safe.The
timingSafeEqualfunction used normal string equality (===) when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing differences.The implementation has been updated to use a safer comparison method.
Details
The issue was caused by the use of normal string equality (
===) when comparing hash values inside thetimingSafeEqualfunction.In JavaScript, string comparison may stop as soon as a difference is found. This means the comparison time can slightly vary depending on how many characters match.
Under very specific and controlled conditions, this behavior could theoretically allow timing-based analysis.
The implementation has been updated to:
Impact
This issue is unlikely to be exploited in normal environments.
It may only be relevant in highly controlled situations where precise timing measurements are possible.
This change is considered a security hardening improvement. Users are encouraged to upgrade to the latest version.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono vulnerable to arbitrary file access via serveStatic vulnerability
CVE-2026-29045 / GHSA-q5qw-h33p-qvwr
More information
Details
Summary
When using
serveStatictogether with route-based middleware protections (e.g.app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization.The router used
decodeURI, whileserveStaticuseddecodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path.Details
The routing layer preserved
%2Fas a literal string, whileserveStaticdecoded it into/before resolving the file path.Example:
Request:
/admin%2Fsecret.html/admin%2Fsecret.html→ does not match/admin/*/admin/secret.htmlAs a result, static files under the configured static root could be served without triggering route-based protections.
This only affects applications that both:
serveStatic.This does not allow access outside the static root and is not a path traversal vulnerability.
Impact
An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes.
Applications relying solely on route-based middleware to protect static subpaths may have exposed those resources.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()
CVE-2026-29085 / GHSA-p6xx-57qc-3wxr
More information
Details
Summary
When using
streamSSE()in Streaming Helper, theevent,id, andretryfields were not validated for carriage return (\r) or newline (\n) characters.Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields.
Details
The SSE helper builds event frames by joining lines with
\n. While multi-linedata:fields are handled according to the SSE specification, theevent,id, andretryfields previously allowed raw values without rejecting embedded CR/LF characters.Including CR/LF in these control fields could allow unintended additional fields (such as
data:,id:, orretry:) to be injected into the event stream.The issue has been fixed by rejecting CR/LF characters in these fields.
Impact
An attacker could manipulate the structure of SSE event frames if an application passed user-controlled input directly into
event,id, orretry.Depending on application behavior, this could result in injected SSE fields or altered event stream handling. Applications that render
e.datain an unsafe manner (for example, usinginnerHTML) could potentially expose themselves to client-side script injection.This issue affects applications that rely on the SSE helper to enforce protocol-level constraints.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()
CVE-2026-29086 / GHSA-5pq2-9x2x-5p6w
More information
Details
Summary
The
setCookie()utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in thedomainandpathoptions when constructing theSet-Cookieheader.Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields.
Details
setCookie()builds theSet-Cookieheader by concatenating option values. While the cookie value itself is URL-encoded, thedomainandpathoptions were previously interpolated without rejecting unsafe characters.Including
;,\r, or\nin these fields could result in unintended additional attributes (such asSameSite,Secure,Domain, orPath) being appended to the cookie header.Modern runtimes prevent full header injection via CRLF, so this issue is limited to attribute-level manipulation within a single
Set-Cookieheader.The issue has been fixed by rejecting these characters in the
domainandpathoptions.Impact
An attacker may be able to manipulate cookie attributes if an application passes user-controlled input directly into the
domainorpathoptions ofsetCookie().This could affect cookie scoping or security attributes depending on browser behavior. Exploitation requires application-level misuse of cookie options.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono vulnerable to Prototype Pollution possible through proto key allowed in parseBody({ dot: true })
GHSA-v8w9-8mx6-g223
More information
Details
Summary
When using
parseBody({ dot: true })in HonoRequest, specially crafted form field names such as__proto__.xcould create objects containing a__proto__property.If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the target object.
Details
The
parseBody({ dot: true })feature supports dot notation to construct nested objects from form field names.In previous versions, the
__proto__path segment was not filtered. As a result, specially crafted keys such as__proto__.xcould produce objects containing__proto__properties.While this behavior does not directly modify
Object.prototypewithin Hono itself, it may become exploitable if the parsed result is later merged into regular JavaScript objects using unsafe merge patterns.Impact
Applications that merge parsed form data into regular objects using unsafe patterns (for example recursive deep merge utilities) may become vulnerable to prototype pollution.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: Path traversal in toSSG() allows writing files outside the output directory
CVE-2026-39408 / GHSA-xf4j-xp2r-rqqx
More information
Details
Summary
A path traversal issue in
toSSG()allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters viassgParams, specially crafted values can cause generated file paths to escape the intended output directory.Details
The static site generation process creates output files based on route paths derived from application routes and parameters. When
ssgParamsis used to provide values for dynamic routes, those values are used to construct output file paths. If these values contain traversal sequences (e.g...), the resulting output path may resolve outside the configured output directory. As a result, files may be written to unintended locations instead of being confined within the specified output directory.For example:
In this case, the generated output path may resolve outside
./static, resulting in a file being written outside the intended output directory.Impact
An attacker who can influence values passed to
ssgParamsduring the build process may be able to write files outside the intended output directory.Depending on the build and deployment environment, this may:
This issue is limited to build-time static site generation and does not affect request-time routing.
Severity
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: Middleware bypass via repeated slashes in serveStatic
CVE-2026-39407 / GHSA-wmmm-f939-6g9c
More information
Details
Summary
A path handling inconsistency in
serveStaticallows protected static files to be accessed by using repeated slashes (//) in the request path.When route-based middleware (e.g.,
/admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.Details
The routing layer and
serveStatichandle repeated slashes differently.For example:
However,
serveStaticmay interpret both paths as the same file location (e.g.,admin/secret.txt) and return the file.This inconsistency allows a request such as:
to bypass middleware registered on
/admin/*and access protected files.The issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution.
Impact
An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.
This can lead to unauthorized access to sensitive files under the static root.
This issue affects applications that rely on serveStatic together with route-based middleware for access control.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
CVE-2026-39409 / GHSA-xpcf-pg52-r92g
More information
Details
Summary
ipRestriction()does not canonicalize IPv4-mapped IPv6 client addresses (e.g.::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.Details
The middleware classifies client addresses based on their textual form. Addresses containing "
:" are treated as IPv6, including IPv4-mapped IPv6 addresses such as::ffff:127.0.0.1. These addresses are not normalized to IPv4 before matching.As a result:
127.0.0.1) do not match because the raw string differs127.0.0.0/8,10.0.0.0/8) are skipped because the address is treated as IPv6For example, with:
denyList: ['127.0.0.1']a request from
127.0.0.1may be represented as::ffff:127.0.0.1and bypass the deny rule.This behavior commonly occurs in Node.js environments where IPv4 clients are exposed as IPv4-mapped IPv6 addresses.
Impact
Applications that rely on IPv4-based
ipRestriction()rules may incorrectly allow or deny requests.In affected deployments, a denied IPv4 client may bypass access restrictions. Conversely, legitimate clients may be rejected when using IPv4 allow lists.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()
CVE-2026-39410 / GHSA-r5rp-j6wh-rvv4
More information
Details
Summary
A discrepancy between browser cookie parsing and
parse()handling allows cookie prefix protections to be bypassed.Cookie names that are treated as distinct by the browser may be normalized to the same key by
parse(), allowing attacker-controlled cookies to override legitimate ones.Details
Browsers follow RFC 6265bis and only trim SP (
0x20) and HTAB (0x09) from cookie names. Other characters, such as the non-breaking space (U+00A0), are preserved as part of the cookie name.For example, the browser treats the following cookies as distinct:
However,
parse()previously used JavaScript'strim(), which removes a broader set of characters includingU+00A0. As a result, both names are normalized to:This mismatch allows attacker-controlled cookies with a
U+00A0prefix to shadow or override legitimate cookies when accessed viagetCookie().Impact
An attacker who can set cookies (e.g., via a man-in-the-middle on a non-secure page or other injection vector) can bypass cookie prefix protections and override sensitive cookies.
This may lead to:
__Secure-and__Host-prefix protectionsThis issue affects applications that rely on
getCookie()for security-sensitive cookie handling.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono missing validation of cookie name on write path in setCookie()
GHSA-26pp-8wgv-hjvm
More information
Details
Summary
Cookie names are not validated on the write path when using
setCookie(),serialize(), orserializeSigned()to generate Set-Cookie headers.While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters.
This results in inconsistent handling of cookie names between parsing (read path) and serialization (write path).
Details
When applications use
setCookie(),serialize(), orserializeSigned()with a user-controlled cookie name, invalid values (e.g., containing control characters such as\ror\n) can be used to construct malformedSet-Cookieheader values.For example:
However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent.
As a result, the reported header injection / response splitting behavior could not be reproduced in these environments.
Impact
Applications that pass untrusted input as the cookie name to
setCookie(),serialize(), orserializeSigned()may encounter runtime errors due to invalid header values.In tested environments, malformed
Set-Cookieheaders are rejected before being sent, and the reported header injection behavior could not be reproduced.This issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
GHSA-458j-xx4x-4375
More information
Details
Summary
Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output.
When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries and inject unintended HTML.
Details
When rendering JSX elements to HTML strings, attribute values are escaped, but attribute names (keys) were previously inserted into the output without validation.
If an attribute name contains characters such as
",>, or whitespace, it can alter the structure of the generated HTML.For example, malformed attribute names can:
This issue arises when untrusted input (such as query parameters or form data) is used as JSX attribute keys during server-side rendering.
Impact
An attacker who can control attribute keys used in JSX rendering may inject unintended attributes or HTML elements into the generated output.
This may lead to:
This issue affects applications that pass untrusted input as JSX attribute keys during server-side rendering.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
CVE-2026-44455 / GHSA-69xw-7hcm-h432
More information
Details
Summary
Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output.
When untrusted input is used as a tag name via the programmatic
jsx()orcreateElement()APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML.Details
When rendering JSX elements to HTML strings, attribute values are escaped and attribute names are validated. However, element tag names were previously inserted into the output without validation.
If a tag name contains characters such as
<,>, quotes, or whitespace, it may alter the structure of the generated HTML.For example, malformed tag names can:
This issue arises when untrusted input (such as query parameters or database content) is used as JSX tag names via
jsx()orcreateElement()during server-side rendering.Impact
An attacker who can control tag names used in JSX rendering may inject unintended HTML into the generated output.
This may lead to:
This issue only affects applications that construct JSX tag names from untrusted input. Applications using static or allowlisted tag names are not affected.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
CVE-2026-44456 / GHSA-9vqf-7f2p-gf9v
More information
Details
Summary
bodyLimit()does not reliably enforcemaxSizefor requests without a usableContent-Length(e.g.Transfer-Encoding: chunked). Oversized requests can reach handlers and return200instead of413.Details
For chunked / unknown-length requests,
bodyLimit()wraps the body in a stream that counts bytes asynchronously, then runs the handler before the size decision is final. The413is only applied afterwards by checkingc.error.This lets the limit be bypassed when:
try/catch.In all three cases the handler returns
200before the limit check completes (or its result is observed).The fix is to enforce the size decision before
next()runs, instead of retrofitting the response viac.errorafterwards.Impact
Applications relying on
bodyLimit()as a hard boundary can be bypassed: oversized chunked requests can reach handler logic and return successful responses. Per-request data exposure is bounded bymaxSize, but the documented guarantee — "oversized requests are rejected before business logic runs" — does not hold.Credits
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
CVE-2026-44457 / GHSA-p77w-8qqv-26rm
More information
Details
Summary
Cache Middleware does not skip caching for responses that declare per-user variance via
Vary: AuthorizationorVary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users.Details
The Cache Middleware skips caching when a response carries
Vary: *, certainCache-Controldirectives (private,no-store,no-cache), orSet-Cookie. However,Vary: AuthorizationandVary: Cookie— the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses — are not treated as cache-skip reasons.This issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on
Vary: AuthorizationorVary: Cookieto scope the response per user, without also settingCache-Control: private.Impact
A user may receive a cached response that was originally generated for a different authenticated user. This may lead to:
This issue affects applications that use the Cache Middleware on endpoints whose responses vary by
AuthorizationorCookieand that do not also setCache-Control: private.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
CVE-2026-44459 / GHSA-hm8q-7f3q-5f36
More information
Details
Summary
Improper validation of the JWT NumericDate claims
exp,nbf, andiatinhono/utils/jwtallows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reachesverify()— typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.Details
The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:
This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.
Impact
An actor able to issue tokens accepted by the application may craft tokens whose
exp,nbf, oriatclaims silently bypass time-based enforcement. This may lead to:expconfigured on the verifier.nbfaccepted as currently valid.iataccepted as legitimately issued.Deployments using a well-formed token issuer and protecting the signing key are not affected.
Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
CVE-2026-44458 / GHSA-qp7p-654g-cw7p
More information
Details
Summary
The JSX renderer escapes
styleattribute object values for HTML but not for CSS. Untrusted input in astyleobject value or property name can therefore inject additional CSS declarations into the renderedstyleattribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout.Details
styleobject values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries — such as;, comment markers, quoted strings, and block delimiters — are valid in HTML attribute content and can extend a value beyond its assigned property.This issue arises when untrusted input is interpolated into a JSX
styleobject and rendered server-side.Impact
An attacker who can control the value or property name of a
styleobject may inject arbitrary CSS declarations. This may lead to:url(...)This issue affects applications that render JSX on the server with
styleobject values or property names derived from untrusted input.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NReferences