hono
npm34 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting honopage 1 of 1
- CVE-2023-50710MEDIUMCVSS 4.3EG 4.2✓ Fixed in 3.11.72023-12-14
Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unin…
- CVE-2024-32869MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.2.72024-04-23
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where `main.ts` is located. This can result in retriev…
- CVE-2024-43787MEDIUMCVSS 5.0EG 5.0✓ Fixed in 4.5.82024-08-22
Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lowe…
- CVE-2024-48913MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.6.52024-10-15
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always cons…
- CVE-2025-58362HIGHCVSS 7.5EG 7.5✓ Fixed in 4.9.62025-09-05
Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs (e.…
- CVE-2025-59139MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.9.72025-09-12
Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP heade…
- CVE-2025-62610HIGHCVSS 8.1EG 8.1✓ Fixed in 4.10.22025-10-22
Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause con…
- CVE-2025-71381MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.10.32026-06-30
Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that shoul…
- CVE-2026-22817HIGHCVSS 8.2EG 8.2✓ Fixed in 4.11.42026-01-13
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verificatio…
- CVE-2026-22818HIGHCVSS 8.2EG 8.2✓ Fixed in 4.11.42026-01-13
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signatur…
- CVE-2026-24398MEDIUMCVSS 4.8EG 4.8✓ Fixed in 4.11.72026-01-27
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToB…
- CVE-2026-24472MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.11.72026-01-27
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. …
- CVE-2026-24473MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.11.72026-01-27
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attac…
- CVE-2026-24771MEDIUMCVSS 4.7EG 4.7✓ Fixed in 4.11.72026-01-27
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage …
- CVE-2026-39407MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.12.122026-04-08
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request…
- CVE-2026-39408HIGHCVSS 7.5EG 7.5✓ Fixed in 4.12.122026-04-08
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. Whe…
- CVE-2026-39409MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.12.122026-04-08
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rule…
- CVE-2026-39410MEDIUMCVSS 4.8EG 4.8✓ Fixed in 4.12.122026-04-08
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that ar…
- CVE-2026-44455MEDIUMCVSS 4.7EG 4.7✓ Fixed in 4.12.162026-05-13
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML ou…
- CVE-2026-44456MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.12.162026-05-13
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized…
- CVE-2026-44457MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.12.182026-05-13
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a resul…
- CVE-2026-44458MEDIUMCVSS 4.3EG 4.3✓ Fixed in 4.12.182026-05-13
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property na…
- CVE-2026-44459LOWCVSS 3.8EG 3.8✓ Fixed in 4.12.182026-05-13
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim value…
- CVE-2026-47673MEDIUMCVSS 4.8EG 4.8✓ Fixed in 4.12.212026-05-28
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — rega…
- CVE-2026-47674MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.12.212026-05-28
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string…
- CVE-2026-47675MEDIUMCVSS 4.3EG 4.3✓ Fixed in 4.12.212026-05-28
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, …
- CVE-2026-47676MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.12.212026-05-28
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed agains…
- CVE-2026-54286MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.12.252026-06-16
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. s…
- CVE-2026-54287MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.12.252026-06-16
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated…
- CVE-2026-54288MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.12.252026-06-16
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda (API G…
- CVE-2026-54289MEDIUMCVSS 4.8EG 4.8✓ Fixed in 4.12.252026-06-16
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes ea…
- CVE-2026-54290HIGHCVSS 7.1EG 7.1✓ Fixed in 4.12.252026-06-16
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Acces…
- CVE-2026-56762MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.12.122026-06-23
Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user…
- CVE-2026-56763MEDIUMCVSS 4.8EG 4.8✓ Fixed in 4.12.72026-07-11
Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When parsed results are merged into regular JavaScript objects using u…
Check whether hono is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for hono CVEs against the assets you own.
Start Free Scan →