hono 1.6.4 | Snyk

Direct Vulnerabilities

Known vulnerabilities in the hono package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Validation of Specified Quantity in Input hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input through the `verify` function in the JWT component. An attacker can supply a signed token with malformed `nbf`, `exp`, or `iat` claims, including non-numeric values or non-finite numbers such as `1e400`, to have the claims skipped during validation and use a token that should be rejected. This lets an attacker present tokens with invalid time-based claims and gain unauthorized access to protected JWT-backed functionality. Note: This is only exploitable if the attacker can issue tokens accepted by the application or has control over the signing key. How to fix Improper Validation of Specified Quantity in Input? Upgrade `hono` to version 4.12.18 or higher.	>=1.1.0 <4.12.18
L HTML Injection hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTML Injection via the `jsx` element tag. An attacker can inject unintended HTML elements or attributes, corrupt the HTML structure, or execute scripts by supplying malicious tag names as input to the rendering process. Note: This is only exploitable if applications construct JSX tag names from untrusted input; applications using static or allowlisted tag names are not affected. How to fix HTML Injection? Upgrade `hono` to version 4.12.16 or higher.	<4.12.16
H Allocation of Resources Without Limits or Throttling hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `bodyLimit` function. An attacker can bypass request size restrictions by sending chunked or unknown-length requests, allowing oversized payloads to reach application handlers and potentially receive successful responses before the size check is enforced. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `hono` to version 4.12.16 or higher.	<4.12.16
M Cross-site Scripting (XSS) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `jsxAttr()` and JSX attribute rendering paths in `src/jsx/jsx-runtime.ts`, `src/jsx/base.ts`, and `src/jsx/dom/render.ts`. An attacker can inject executable markup by supplying a crafted attribute name such as one containing quotes, angle brackets, or spaces through JSX props or spread attributes. This lets untrusted input break out of the intended attribute context during server-rendered output or DOM updates, leading to script execution in the user’s browser and compromising the affected page. How to fix Cross-site Scripting (XSS)? Upgrade `hono` to version 4.12.14 or higher.	<4.12.14
M Incorrect Behavior Order: Validate Before Canonicalize hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the `ipRestriction` function. An attacker can bypass access restrictions by sending requests from IPv4-mapped IPv6 addresses, which are not properly matched against IPv4 allow or deny rules. How to fix Incorrect Behavior Order: Validate Before Canonicalize? Upgrade `hono` to version 4.12.12 or higher.	<4.12.12
M Improper Input Validation hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Input Validation via the `getCookie` function. An attacker can override legitimate cookies and bypass prefix protections by setting cookies with non-breaking space prefixes, leading to potential session fixation or hijacking. How to fix Improper Input Validation? Upgrade `hono` to version 4.12.12 or higher.	<4.12.12
M HTTP Response Splitting hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the `setCookie` function. An attacker can cause runtime errors and potentially disrupt application behavior by supplying specially crafted input as the cookie name, leading to malformed `Set-Cookie` header values. How to fix HTTP Response Splitting? Upgrade `hono` to version 4.12.12 or higher.	<4.12.12
M Directory Traversal hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the `serveStatic` function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated slashes, thereby bypassing authorization checks. How to fix Directory Traversal? Upgrade `hono` to version 4.12.12 or higher.	<4.12.12
M Prototype Pollution hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Prototype Pollution in `parseBody()`, when the `dot` option is enabled. An attacker can supply objects with `__proto__` properties, which may later be merged by other functions in the application, polluting their prototypes. How to fix Prototype Pollution? Upgrade `hono` to version 4.12.7 or higher.	<4.12.7
M Improper Handling of URL Encoding (Hex Encoding) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Handling of URL Encoding (Hex Encoding) via inconsistent URL decoding between the `serveStatic` process and route-based middleware protections. An attacker can access protected static resources without authorization by requesting paths with encoded slashes - e.g. `/admin%2Fsecret.html`. Note: This vulnerability specifically affects applications that rely solely on route-based middleware to protect static subpaths. How to fix Improper Handling of URL Encoding (Hex Encoding)? Upgrade `hono` to version 4.12.4 or higher.	<4.12.4
M CRLF Injection hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to CRLF Injection via the `setCookie()` utility. An attacker can inject unauthorized cookie attributes by supplying specially crafted input containing semicolons, carriage returns, or newline characters in the domain or path fields. Notes: Successful exploitation requires the application to pass user-controlled input directly into the `domain` or `path` options of `setCookie()` This issue is limited to attribute-level manipulation within a single Set-Cookie header. How to fix CRLF Injection? Upgrade `hono` to version 4.12.4 or higher.	>=0.2.1 <4.12.4
M Timing Attack hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Timing Attack via the `timingSafeEqual()` function. An attacker can infer sensitive information by performing timing analysis attacks during authentication comparisons. How to fix Timing Attack? Upgrade `hono` to version 4.11.10 or higher.	<4.11.10
M Use of Cache Containing Sensitive Information hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information via improper handling of HTTP cache control directives, including `Cache-Control: private` and `Cache-Control: no-store`. An attacker can access sensitive information by sending unauthenticated requests that receive cached responses intended for authenticated users. How to fix Use of Cache Containing Sensitive Information? Upgrade `hono` to version 4.11.7 or higher.	<4.11.7
M Incorrect Authorization hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Authorization via improper validation of user-supplied paths in the `serve-static` middleware. An attacker can access internal asset keys by crafting requests that bypass intended path restrictions. This is only exploitable if the application is running on Cloudflare Workers and uses the Serve static Middleware with user-controllable request paths. How to fix Incorrect Authorization? Upgrade `hono` to version 4.11.7 or higher.	<4.11.7
M Cross-site Scripting (XSS) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `ErrorBoundary` component of the `jsx` library, when untrusted user-controlled strings are rendered as raw HTML. An attacker can execute scripts in the victim's browser. How to fix Cross-site Scripting (XSS)? Upgrade `hono` to version 4.11.7 or higher.	<4.11.7
M Incorrect Regular Expression hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Regular Expression in the form of the `IPV4_REGEX` pattern not properly matching IPv4 octet ranges, and passing values above 255 on to `convertIPv4ToBinary`. An attacker can gain unauthorized access or bypass IP-based restrictions by submitting malicious IP addresses, such as via the `X-Forwarded-For` header. Applications that rely on these values for access control decisions are vulnerable. How to fix Incorrect Regular Expression? Upgrade `hono` to version 4.11.7 or higher.	<4.11.7
H Use of a Broken or Risky Cryptographic Algorithm hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the JWT verification middleware using unsafe default fallback algorithm. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated `alg` header values and force the middleware to use default HS256 algorithm for verification. Note: Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected. How to fix Use of a Broken or Risky Cryptographic Algorithm? Upgrade `hono` to version 4.11.4 or higher.	<4.11.4
H Improper Verification of Cryptographic Signature hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the JWT verification middleware fallback on unverified JWT header when `alg` field is not present. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated `alg` header values and force the middleware to use unsafe symmetric algorithms for verification. Note: Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected. How to fix Improper Verification of Cryptographic Signature? Upgrade `hono` to version 4.11.4 or higher.	<4.11.4
M HTTP Request Smuggling hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Request Smuggling via the CORS middleware, which copies the `Vary` header from the request to the response when the `origin` is not set to "". An attacker can influence cache behavior or cause inconsistent cross-origin resource sharing enforcement by supplying crafted `Vary` headers in requests. Note:* This is exploitable if shared caches or proxies rely on the `Vary` header for cache key calculation. How to fix HTTP Request Smuggling? Upgrade `hono` to version 4.10.3 or higher.	<4.10.3
H Unverified Ownership hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Unverified Ownership via the JWT authentication process. An attacker can gain unauthorized access to protected resources by presenting a valid token intended for a different audience when multiple services share the same issuer or keys. How to fix Unverified Ownership? Upgrade `hono` to version 4.10.2 or higher.	>=1.1.0 <4.10.2
M HTTP Request Smuggling hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Request Smuggling via the `bodyLimit` middleware when conflicting HTTP headers are present. An attacker can cause excessive memory or CPU consumption by sending oversized request bodies that bypass the configured size limit. Note: This is exploitable if the deployment environment or runtime does not reject requests with both `Content-Length` and `Transfer-Encoding: chunked` headers. How to fix HTTP Request Smuggling? Upgrade `hono` to version 4.9.7 or higher.	<4.9.7
M Cross-site Request Forgery (CSRF) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the `csrf` function. An attacker can bypass CSRF protection by sending a request without a Content-Type header. How to fix Cross-site Request Forgery (CSRF)? Upgrade `hono` to version 4.6.5 or higher.	<4.6.5
L Cross-Site Request Forgery (CSRF) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the `isRequestedByFormElementRe` function. An attacker can bypass CSRF protection by using a crafted Content-Type header with case manipulation. How to fix Cross-Site Request Forgery (CSRF)? Upgrade `hono` to version 4.5.8 or higher.	<4.5.8
M Improper Control of Generation of Code ('Code Injection') hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the use of `TrieRouter` or when matching patterns not supported by the default `RegExpRouter`. An attacker can influence the behavior of the application by injecting unintended parameters when deleting REST API resources. Note: This is only exploitable if a privileged user interacts with the application in a way that allows for parameter override. How to fix Improper Control of Generation of Code ('Code Injection')? Upgrade `hono` to version 3.11.7 or higher.	<3.11.7
M Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') such that when using `serveStatic` with deno, it is possible to traverse the directory where `main.ts` is located, leading to the retrieval of unexpected files. How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')? Upgrade `hono` to version 4.2.7 or higher.	<4.2.7
M Arbitrary Code Injection hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Arbitrary Code Injection via the `TrieRouter` process. An attacker can manipulate the path parameters to override named path parameter values from previous requests, potentially leading to unintended behavior or access to privileged operations. Note: This is only exploitable if the application uses `TrieRouter` explicitly or matches a pattern not supported by the default `RegExpRouter`. How to fix Arbitrary Code Injection? Upgrade `hono` to version 3.11.7 or higher.	<3.11.7

Vulnerability

Vulnerable Version

Improper Validation of Specified Quantity in Input

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input through the verify function in the JWT component. An attacker can supply a signed token with malformed nbf, exp, or iat claims, including non-numeric values or non-finite numbers such as 1e400, to have the claims skipped during validation and use a token that should be rejected. This lets an attacker present tokens with invalid time-based claims and gain unauthorized access to protected JWT-backed functionality.

Note: This is only exploitable if the attacker can issue tokens accepted by the application or has control over the signing key.

How to fix Improper Validation of Specified Quantity in Input?

Upgrade hono to version 4.12.18 or higher.

>=1.1.0 <4.12.18

HTML Injection

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTML Injection via the jsx element tag. An attacker can inject unintended HTML elements or attributes, corrupt the HTML structure, or execute scripts by supplying malicious tag names as input to the rendering process.

Note: This is only exploitable if applications construct JSX tag names from untrusted input; applications using static or allowlisted tag names are not affected.

How to fix HTML Injection?

Upgrade hono to version 4.12.16 or higher.

<4.12.16

Allocation of Resources Without Limits or Throttling

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the bodyLimit function. An attacker can bypass request size restrictions by sending chunked or unknown-length requests, allowing oversized payloads to reach application handlers and potentially receive successful responses before the size check is enforced.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade hono to version 4.12.16 or higher.

<4.12.16

Cross-site Scripting (XSS)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the jsxAttr() and JSX attribute rendering paths in src/jsx/jsx-runtime.ts, src/jsx/base.ts, and src/jsx/dom/render.ts. An attacker can inject executable markup by supplying a crafted attribute name such as one containing quotes, angle brackets, or spaces through JSX props or spread attributes. This lets untrusted input break out of the intended attribute context during server-rendered output or DOM updates, leading to script execution in the user’s browser and compromising the affected page.

How to fix Cross-site Scripting (XSS)?

Upgrade hono to version 4.12.14 or higher.

<4.12.14

Incorrect Behavior Order: Validate Before Canonicalize

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the ipRestriction function. An attacker can bypass access restrictions by sending requests from IPv4-mapped IPv6 addresses, which are not properly matched against IPv4 allow or deny rules.

How to fix Incorrect Behavior Order: Validate Before Canonicalize?

Upgrade hono to version 4.12.12 or higher.

<4.12.12

Improper Input Validation

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Input Validation via the getCookie function. An attacker can override legitimate cookies and bypass prefix protections by setting cookies with non-breaking space prefixes, leading to potential session fixation or hijacking.

How to fix Improper Input Validation?

Upgrade hono to version 4.12.12 or higher.

<4.12.12

HTTP Response Splitting

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Response Splitting via the setCookie function. An attacker can cause runtime errors and potentially disrupt application behavior by supplying specially crafted input as the cookie name, leading to malformed Set-Cookie header values.

How to fix HTTP Response Splitting?

Upgrade hono to version 4.12.12 or higher.

<4.12.12

Directory Traversal

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated slashes, thereby bypassing authorization checks.

How to fix Directory Traversal?

Upgrade hono to version 4.12.12 or higher.

<4.12.12

Prototype Pollution

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Prototype Pollution in parseBody(), when the dot option is enabled. An attacker can supply objects with __proto__ properties, which may later be merged by other functions in the application, polluting their prototypes.

How to fix Prototype Pollution?

Upgrade hono to version 4.12.7 or higher.

<4.12.7

Improper Handling of URL Encoding (Hex Encoding)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Handling of URL Encoding (Hex Encoding) via inconsistent URL decoding between the serveStatic process and route-based middleware protections. An attacker can access protected static resources without authorization by requesting paths with encoded slashes - e.g. /admin%2Fsecret.html.

Note: This vulnerability specifically affects applications that rely solely on route-based middleware to protect static subpaths.

How to fix Improper Handling of URL Encoding (Hex Encoding)?

Upgrade hono to version 4.12.4 or higher.

<4.12.4

CRLF Injection

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to CRLF Injection via the setCookie() utility. An attacker can inject unauthorized cookie attributes by supplying specially crafted input containing semicolons, carriage returns, or newline characters in the domain or path fields.

Notes:

Successful exploitation requires the application to pass user-controlled input directly into the domain or path options of setCookie()
This issue is limited to attribute-level manipulation within a single Set-Cookie header.

How to fix CRLF Injection?

Upgrade hono to version 4.12.4 or higher.

>=0.2.1 <4.12.4

Timing Attack

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Timing Attack via the timingSafeEqual() function. An attacker can infer sensitive information by performing timing analysis attacks during authentication comparisons.

How to fix Timing Attack?

Upgrade hono to version 4.11.10 or higher.

<4.11.10

Use of Cache Containing Sensitive Information

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information via improper handling of HTTP cache control directives, including Cache-Control: private and Cache-Control: no-store. An attacker can access sensitive information by sending unauthenticated requests that receive cached responses intended for authenticated users.

How to fix Use of Cache Containing Sensitive Information?

Upgrade hono to version 4.11.7 or higher.

<4.11.7

Incorrect Authorization

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Incorrect Authorization via improper validation of user-supplied paths in the serve-static middleware. An attacker can access internal asset keys by crafting requests that bypass intended path restrictions. This is only exploitable if the application is running on Cloudflare Workers and uses the Serve static Middleware with user-controllable request paths.

How to fix Incorrect Authorization?

Upgrade hono to version 4.11.7 or higher.

<4.11.7

Cross-site Scripting (XSS)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ErrorBoundary component of the jsx library, when untrusted user-controlled strings are rendered as raw HTML. An attacker can execute scripts in the victim's browser.

How to fix Cross-site Scripting (XSS)?

Upgrade hono to version 4.11.7 or higher.

<4.11.7

Incorrect Regular Expression

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Incorrect Regular Expression in the form of the IPV4_REGEX pattern not properly matching IPv4 octet ranges, and passing values above 255 on to convertIPv4ToBinary. An attacker can gain unauthorized access or bypass IP-based restrictions by submitting malicious IP addresses, such as via the X-Forwarded-For header. Applications that rely on these values for access control decisions are vulnerable.

How to fix Incorrect Regular Expression?

Upgrade hono to version 4.11.7 or higher.

<4.11.7

Use of a Broken or Risky Cryptographic Algorithm

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the JWT verification middleware using unsafe default fallback algorithm. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated alg header values and force the middleware to use default HS256 algorithm for verification.

Note:

Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected.

How to fix Use of a Broken or Risky Cryptographic Algorithm?

Upgrade hono to version 4.11.4 or higher.

<4.11.4

Improper Verification of Cryptographic Signature

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the JWT verification middleware fallback on unverified JWT header when alg field is not present. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated alg header values and force the middleware to use unsafe symmetric algorithms for verification.

Note:

Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected.

How to fix Improper Verification of Cryptographic Signature?

Upgrade hono to version 4.11.4 or higher.

<4.11.4

HTTP Request Smuggling

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Request Smuggling via the CORS middleware, which copies the Vary header from the request to the response when the origin is not set to "*". An attacker can influence cache behavior or cause inconsistent cross-origin resource sharing enforcement by supplying crafted Vary headers in requests.

Note: This is exploitable if shared caches or proxies rely on the Vary header for cache key calculation.

How to fix HTTP Request Smuggling?

Upgrade hono to version 4.10.3 or higher.

<4.10.3

Unverified Ownership

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Unverified Ownership via the JWT authentication process. An attacker can gain unauthorized access to protected resources by presenting a valid token intended for a different audience when multiple services share the same issuer or keys.

How to fix Unverified Ownership?

Upgrade hono to version 4.10.2 or higher.

>=1.1.0 <4.10.2

HTTP Request Smuggling

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Request Smuggling via the bodyLimit middleware when conflicting HTTP headers are present. An attacker can cause excessive memory or CPU consumption by sending oversized request bodies that bypass the configured size limit.

Note: This is exploitable if the deployment environment or runtime does not reject requests with both Content-Length and Transfer-Encoding: chunked headers.

How to fix HTTP Request Smuggling?

Upgrade hono to version 4.9.7 or higher.

<4.9.7

Cross-site Request Forgery (CSRF)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the csrf function. An attacker can bypass CSRF protection by sending a request without a Content-Type header.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade hono to version 4.6.5 or higher.

<4.6.5

Cross-Site Request Forgery (CSRF)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the isRequestedByFormElementRe function. An attacker can bypass CSRF protection by using a crafted Content-Type header with case manipulation.

How to fix Cross-Site Request Forgery (CSRF)?

Upgrade hono to version 4.5.8 or higher.

<4.5.8

Improper Control of Generation of Code ('Code Injection')

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the use of TrieRouter or when matching patterns not supported by the default RegExpRouter. An attacker can influence the behavior of the application by injecting unintended parameters when deleting REST API resources.

Note:

This is only exploitable if a privileged user interacts with the application in a way that allows for parameter override.

How to fix Improper Control of Generation of Code ('Code Injection')?

Upgrade hono to version 3.11.7 or higher.

<3.11.7

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') such that when using serveStatic with deno, it is possible to traverse the directory where main.ts is located, leading to the retrieval of unexpected files.

How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')?

Upgrade hono to version 4.2.7 or higher.

<4.2.7

Arbitrary Code Injection

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Arbitrary Code Injection via the TrieRouter process. An attacker can manipulate the path parameters to override named path parameter values from previous requests, potentially leading to unintended behavior or access to privileged operations.

Note:

This is only exploitable if the application uses TrieRouter explicitly or matches a pattern not supported by the default RegExpRouter.

How to fix Arbitrary Code Injection?

Upgrade hono to version 3.11.7 or higher.

<3.11.7

hono@1.6.4

Web framework built on Web Standards

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically