VYPR
High severityNVD Advisory· Published Oct 22, 2025· Updated Oct 23, 2025

Hono Improperly Authorizes JWT Audience Validation

CVE-2025-62610

Description

Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. This issue has been patched in version 4.10.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
hononpm
>= 1.1.0, < 4.10.24.10.2

Affected products

9

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.