VYPR

Hono

by Honojs

npm: hono

Source repositories

CVEs (37)

  • CVE-2026-39408HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.01

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via…

  • CVE-2026-54290higJun 16, 2026
    risk 0.38cvss epss 0.00

    ### Summary With `credentials: true` and no explicit `origin` (the default wildcard), the CORS Middleware reflects the request's `Origin` and sends `Access-Control-Allow-Credentials: true`. Any site can then make credentialed cross-origin requests and read the responses,…

  • CVE-2026-44456MedMay 13, 2026
    risk 0.35cvss 6.5epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return…

  • CVE-2026-47676MedMay 28, 2026
    risk 0.27cvss 5.3epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This…

  • CVE-2026-47674MedMay 28, 2026
    risk 0.27cvss 5.3epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization.…

  • CVE-2026-44457MedMay 13, 2026
    risk 0.27cvss 5.3epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one…

  • CVE-2026-39409MedApr 8, 2026
    risk 0.27cvss 5.3epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js…

  • CVE-2026-39407MedApr 8, 2026
    risk 0.27cvss 5.3epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware…

  • CVE-2026-47673MedMay 28, 2026
    risk 0.24cvss 4.8epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first…

  • CVE-2026-44455MedMay 13, 2026
    risk 0.24cvss 4.7epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a…

  • CVE-2026-39410MedApr 8, 2026
    risk 0.24cvss 4.8epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may…

  • CVE-2026-47675MedMay 28, 2026
    risk 0.21cvss 4.3epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same…

  • CVE-2026-44458MedMay 13, 2026
    risk 0.21cvss 4.3epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS…

  • CVE-2026-44459LowMay 13, 2026
    risk 0.18cvss 3.8epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks.…

  • CVE-2026-56762Jun 23, 2026
    risk 0.00cvss epss 0.00

    Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can…

  • CVE-2026-54288Jun 16, 2026
    risk 0.00cvss epss 0.00

    ### Summary The Body Limit Middleware trusts the request's `Content-Length` header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the…

  • CVE-2026-54289Jun 16, 2026
    risk 0.00cvss epss 0.00

    ### Summary On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with `Headers.set` instead of `Headers.append`, so every value overwrites the previous one and only the last reaches the…

  • CVE-2026-54286Jun 16, 2026
    risk 0.00cvss epss 0.00

    ### Summary On Windows hosts, an encoded backslash (`%5C`) in the request path decodes to `\`, which the Windows path resolver treats as a separator. `serve-static` then resolves a single URL segment such as `admin\secret.txt` into a nested file under the root and serves it,…

  • CVE-2026-54287Jun 16, 2026
    risk 0.00cvss epss 0.00

    ### Summary On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple `Set-Cookie` headers into one comma-separated value. Because commas also appear inside cookie attributes (for example `Expires` dates), clients cannot split the value back…

  • CVE-2026-29085Mar 4, 2026
    risk 0.00cvss epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE…

Page 1 of 2