Homepage
About Snyk

hono@3.6.0-rc.2 vulnerabilities

Web framework built on Web Standards

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the hono package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Request Forgery (CSRF)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the csrf function. An attacker can bypass CSRF protection by sending a request without a Content-Type header.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade hono to version 4.6.5 or higher.

<4.6.5
  • L
Cross-Site Request Forgery (CSRF)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the isRequestedByFormElementRe function. An attacker can bypass CSRF protection by using a crafted Content-Type header with case manipulation.

How to fix Cross-Site Request Forgery (CSRF)?

Upgrade hono to version 4.5.8 or higher.

<4.5.8
  • M
Improper Control of Generation of Code ('Code Injection')

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the use of TrieRouter or when matching patterns not supported by the default RegExpRouter. An attacker can influence the behavior of the application by injecting unintended parameters when deleting REST API resources.

Note:

This is only exploitable if a privileged user interacts with the application in a way that allows for parameter override.

How to fix Improper Control of Generation of Code ('Code Injection')?

Upgrade hono to version 3.11.7 or higher.

<3.11.7
  • M
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') such that when using serveStatic with deno, it is possible to traverse the directory where main.ts is located, leading to the retrieval of unexpected files.

How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')?

Upgrade hono to version 4.2.7 or higher.

<4.2.7
  • M
Arbitrary Code Injection

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Arbitrary Code Injection via the TrieRouter process. An attacker can manipulate the path parameters to override named path parameter values from previous requests, potentially leading to unintended behavior or access to privileged operations.

Note:

This is only exploitable if the application uses TrieRouter explicitly or matches a pattern not supported by the default RegExpRouter.

How to fix Arbitrary Code Injection?

Upgrade hono to version 3.11.7 or higher.

<3.11.7
Go back to all versions of this package