npm package
hono
pkg:npm/hono
Vulnerabilities (26)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44459 | Low | 3.8 | < 4.12.18 | 4.12.18 | May 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. T | |
| CVE-2026-44458 | Med | 4.3 | < 4.12.18 | 4.12.18 | May 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS de | |
| CVE-2026-44457 | Med | 5.3 | < 4.12.18 | 4.12.18 | May 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticate | |
| CVE-2026-44456 | Med | 6.5 | < 4.12.16 | 4.12.16 | May 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 2 | |
| CVE-2026-44455 | Med | 4.7 | < 4.12.16 | 4.12.16 | May 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a t | |
| CVE-2026-39410 | Med | 4.8 | < 4.12.12 | 4.12.12 | Apr 8, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may | |
| CVE-2026-39409 | Med | 5.3 | < 4.12.12 | 4.12.12 | Apr 8, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-s | |
| CVE-2026-39408 | Hig | 7.5 | >= 4.0.0, < 4.12.12 | 4.12.12 | Apr 8, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgP | |
| CVE-2026-39407 | Med | 5.3 | < 4.12.12 | 4.12.12 | Apr 8, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., | |
| CVE-2026-29085 | — | < 4.12.4 | 4.12.4 | Mar 4, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE proto | ||
| CVE-2026-29045 | — | < 4.12.4 | 4.12.4 | Mar 4, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to | ||
| CVE-2026-29086 | — | < 4.12.4 | 4.12.4 | Mar 4, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cooki | ||
| CVE-2026-27700 | — | >= 4.12.0, < 4.12.2 | 4.12.2 | Feb 25, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value | ||
| CVE-2026-24771 | — | < 4.11.7 | 4.11.7 | Jan 27, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strin | ||
| CVE-2026-24473 | — | < 4.11.7 | 4.11.7 | Jan 27, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Work | ||
| CVE-2026-24472 | — | < 4.11.7 | 4.11.7 | Jan 27, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard | ||
| CVE-2026-24398 | — | < 4.11.7 | 4.11.7 | Jan 27, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` | ||
| CVE-2026-22817 | — | < 4.11.4 | 4.11.4 | Jan 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly sp | ||
| CVE-2026-22818 | — | < 4.11.4 | 4.11.4 | Jan 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did no | ||
| CVE-2025-62610 | — | >= 1.1.0, < 4.10.2 | 4.10.2 | Oct 22, 2025 | Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API |
- affected < 4.12.18fixed 4.12.18
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. T
- affected < 4.12.18fixed 4.12.18
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS de
- affected < 4.12.18fixed 4.12.18
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticate
- affected < 4.12.16fixed 4.12.16
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 2
- affected < 4.12.16fixed 4.12.16
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a t
- affected < 4.12.12fixed 4.12.12
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may
- affected < 4.12.12fixed 4.12.12
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-s
- affected >= 4.0.0, < 4.12.12fixed 4.12.12
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgP
- affected < 4.12.12fixed 4.12.12
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g.,
- CVE-2026-29085Mar 4, 2026affected < 4.12.4fixed 4.12.4
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE proto
- CVE-2026-29045Mar 4, 2026affected < 4.12.4fixed 4.12.4
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to
- CVE-2026-29086Mar 4, 2026affected < 4.12.4fixed 4.12.4
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cooki
- CVE-2026-27700Feb 25, 2026affected >= 4.12.0, < 4.12.2fixed 4.12.2
Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value
- CVE-2026-24771Jan 27, 2026affected < 4.11.7fixed 4.11.7
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strin
- CVE-2026-24473Jan 27, 2026affected < 4.11.7fixed 4.11.7
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Work
- CVE-2026-24472Jan 27, 2026affected < 4.11.7fixed 4.11.7
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard
- CVE-2026-24398Jan 27, 2026affected < 4.11.7fixed 4.11.7
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts`
- CVE-2026-22817Jan 13, 2026affected < 4.11.4fixed 4.11.4
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly sp
- CVE-2026-22818Jan 13, 2026affected < 4.11.4fixed 4.11.4
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did no
- CVE-2025-62610Oct 22, 2025affected >= 1.1.0, < 4.10.2fixed 4.10.2
Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API
Page 1 of 2