GHSA-98q5-3v5r-qvfhMediumCVSS 3.7

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth...

Published
July 15, 2026
Last Modified
July 15, 2026

🔗 CVE IDs covered (1)

📋 Description

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing measurements.

🔗 References (4)