VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 4 CVEs

Hono 4.12.21: Four Medium-Severity CVEs Disclosed in a Single Advisory

Four medium-severity vulnerabilities in the Hono web framework were disclosed together on May 28, 2026, spanning path normalization bypass, cookie injection, IP-restriction evasion, and JWT scheme validation gaps.

Key findings

  • CVE-2026-47676: app.mount() path normalization mismatch can bypass prefix-based routing controls
  • CVE-2026-47674: IPv6 non-canonical representations evade ip-restriction middleware
  • CVE-2026-47675: Cookie serialize() skips validation on sameSite and priority attributes
  • CVE-2026-47673: JWT/JWK middlewares accept any Authorization scheme, not just Bearer
  • All four CVEs fixed in Hono 4.12.21, released May 28, 2026
  • No active exploitation reported as of disclosure date

The Honojs team released Hono version 4.12.21 on May 28, 2026, patching four medium-severity CVEs disclosed in a single coordinated advisory. Hono is a lightweight, multi-runtime web application framework used across Cloudflare Workers, Deno, Bun, and Node.js. The four flaws — CVE-2026-47673, CVE-2026-47674, CVE-2026-47675, and CVE-2026-47676 — each affect different components of the framework, but share a common theme: edge-case handling gaps in input validation and normalization that could allow attackers to bypass security controls.

**Path normalization mismatch in app.mount() (CVE-2026-47676, CVSS 5.3)**

The most architecturally significant bug resides in Hono's app.mount() method. When a sub-application is mounted at a prefix, the framework strips that prefix from the incoming request path using the raw URL pathname. However, route matching inside the mounted application operates on the percent-decoded path. This inconsistency means that an attacker can encode characters in the mount prefix portion of the URL to cause the prefix-stripping logic to remove a different amount of the path than intended, potentially routing requests to unintended handlers. The advisory notes that this could lead to security control bypasses in applications that rely on mount-prefix boundaries for access control or routing isolation.

**IP-restriction middleware evasion (CVE-2026-47674, CVSS 5.3)**

The hono/ip-restriction middleware compares incoming IP addresses against configured allow and deny lists using string equality after only partial normalization. Non-canonical IPv6 representations — such as those with leading zeros, mixed-case hex digits, or different zero-compression styles — can bypass the comparison. For example, 2001:db8::1 and 2001:0db8:0000:0000:0000:0000:0000:0001 represent the same address but would not match under the middleware's logic. An attacker controlling an IPv6 address that falls within a denied range could evade the restriction by simply varying the textual representation of their address.

**Cookie attribute injection (CVE-2026-47675, CVSS 4.3)**

Hono's serialize() function in hono/cookie validates the domain and path cookie options against characters that could corrupt Set-Cookie header syntax — specifically semicolons, carriage returns, and newlines. However, the advisory reveals that the sameSite and priority options are not subjected to the same validation. An application that passes user-controlled values into these cookie attributes could allow an attacker to inject header-breaking characters, potentially leading to cookie attribute manipulation or response header splitting in downstream parsers.

**JWT/JWK middleware scheme bypass (CVE-2026-47673, CVSS 4.8)**

The jwt and jwk middlewares in Hono do not verify that the Authorization header value uses the Bearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. This means an attacker could send an Authorization: ArbitraryScheme <token> header, and if the token itself is a valid JWT (e.g., one issued for a different context or leaked), the middleware would accept it. While the attacker still needs a validly signed token, the lack of scheme validation broadens the attack surface for token reuse across different authentication contexts.

Patch and response

All four vulnerabilities were fixed in Hono version 4.12.21, released on May 28, 2026. Users are advised to upgrade immediately. The Honojs team published the advisory through their GitHub security advisory channel, and no in-the-wild exploitation has been reported as of the disclosure date. For users unable to upgrade immediately, the advisory notes that the IP-restriction bypass (CVE-2026-47674) can be mitigated by normalizing IPv6 addresses before passing them to the middleware, and the JWT scheme bypass (CVE-2026-47673) can be mitigated by adding explicit Bearer scheme checks in application-level middleware.

Why this batch matters

While none of the four CVEs carry a "Critical" severity rating, their collective impact on Hono's security posture is significant. The framework is increasingly adopted in edge-computing and serverless environments where middleware-based security controls — IP restrictions, JWT authentication, and mount-prefix routing — are the primary defense layers. Each of these bugs undermines one of those layers in a subtle way that typical application-level testing is unlikely to catch. The batch serves as a reminder that input normalization inconsistencies across different stages of request processing remain a fertile ground for vulnerabilities in modern web frameworks.

AI-written article. Grounded in 4 CVE records listed below.