VYPR

npm package

hono

pkg:npm/hono

Vulnerabilities (31)

  • CVE-2026-24472Jan 27, 2026
    affected < 4.11.7fixed 4.11.7

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard

  • CVE-2026-24398Jan 27, 2026
    affected < 4.11.7fixed 4.11.7

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts`

  • CVE-2026-22817Jan 13, 2026
    affected < 4.11.4fixed 4.11.4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly sp

  • CVE-2026-22818Jan 13, 2026
    affected < 4.11.4fixed 4.11.4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did no

  • CVE-2025-62610Oct 22, 2025
    affected >= 1.1.0, < 4.10.2fixed 4.10.2

    Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API

  • CVE-2025-59139Sep 12, 2025
    affected < 4.9.7fixed 4.9.7

    Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. The middleware previousl

  • CVE-2025-58362Sep 4, 2025
    affected >= 4.8.0, < 4.9.6fixed 4.9.6

    Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks). The original i

  • CVE-2024-48913Oct 15, 2024
    affected < 4.6.5fixed 4.6.5

    Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type he

  • CVE-2024-43787Aug 22, 2024
    affected < 4.5.8fixed 4.5.8

    Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass

  • CVE-2024-32869Apr 23, 2024
    affected < 4.2.7fixed 4.2.7

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where `main.ts` is located. This can result in retrieval of unexpected files. Version 4.2.7 con

  • CVE-2023-50710Dec 14, 2023
    affected < 3.11.7fixed 3.11.7

    Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API

Page 2 of 2