VYPR

apk package

chainguard/hono-cli

pkg:apk/chainguard/hono-cli

Vulnerabilities (37)

  • CVE-2026-42580MedMay 13, 2026
    affected < 2.7.0-r14fixed 2.7.0-r14

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

  • CVE-2026-42579HigMay 13, 2026
    affected < 2.7.0-r15fixed 2.7.0-r15

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS respon

  • CVE-2026-42578HigMay 13, 2026
    affected < 2.7.0-r19fixed 2.7.0-r19

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea

  • CVE-2026-41417MedMay 6, 2026
    affected < 2.7.0-r14fixed 2.7.0-r14

    Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no

  • CVE-2026-39410MedApr 8, 2026
    affected < 0fixed 0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may

  • CVE-2026-39409MedApr 8, 2026
    affected < 0fixed 0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-s

  • CVE-2026-39408HigApr 8, 2026
    affected < 0fixed 0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgP

  • CVE-2026-39407MedApr 8, 2026
    affected < 0fixed 0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g.,

  • CVE-2026-33871Mar 27, 2026
    affected < 2.7.0-r7fixed 2.7.0-r7

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o

  • CVE-2026-33870Mar 27, 2026
    affected < 2.7.0-r6fixed 2.7.0-r6

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

  • CVE-2026-29085Mar 4, 2026
    affected < 0fixed 0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE proto

  • CVE-2026-29045Mar 4, 2026
    affected < 0fixed 0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to

  • CVE-2026-29086Mar 4, 2026
    affected < 0fixed 0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cooki

  • CVE-2025-62610Oct 22, 2025
    affected < 0fixed 0

    Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API

  • CVE-2024-48913Oct 15, 2024
    affected < 0fixed 0

    Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type he

  • CVE-2024-43787Aug 22, 2024
    affected < 0fixed 0

    Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass

  • CVE-2023-50710Dec 14, 2023
    affected < 0fixed 0

    Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API

Page 2 of 2