hono 4.0.5 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the hono package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Prototype Pollution hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Prototype Pollution in `parseBody()`, when the `dot` option is enabled. An attacker can supply objects with `__proto__` properties, which may later be merged by other functions in the application, polluting their prototypes. How to fix Prototype Pollution? Upgrade `hono` to version 4.12.7 or higher.	<4.12.7
M CRLF Injection hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to CRLF Injection via the `writeSSE` function when untrusted input containing carriage return or newline characters is passed to the `event`, `id`, or `retry` fields. An attacker can inject additional Server-Sent Events (SSE) fields within the same event frame by supplying specially crafted input. How to fix CRLF Injection? Upgrade `hono` to version 4.12.4 or higher.	>=3.8.0 <4.12.4
M Improper Handling of URL Encoding (Hex Encoding) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Handling of URL Encoding (Hex Encoding) via inconsistent URL decoding between the `serveStatic` process and route-based middleware protections. An attacker can access protected static resources without authorization by requesting paths with encoded slashes - e.g. `/admin%2Fsecret.html`. Note: This vulnerability specifically affects applications that rely solely on route-based middleware to protect static subpaths. How to fix Improper Handling of URL Encoding (Hex Encoding)? Upgrade `hono` to version 4.12.4 or higher.	<4.12.4
M CRLF Injection hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to CRLF Injection via the `setCookie()` utility. An attacker can inject unauthorized cookie attributes by supplying specially crafted input containing semicolons, carriage returns, or newline characters in the domain or path fields. Notes: Successful exploitation requires the application to pass user-controlled input directly into the `domain` or `path` options of `setCookie()` This issue is limited to attribute-level manipulation within a single Set-Cookie header. How to fix CRLF Injection? Upgrade `hono` to version 4.12.4 or higher.	>=0.2.1 <4.12.4
M Timing Attack hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Timing Attack via the `timingSafeEqual()` function. An attacker can infer sensitive information by performing timing analysis attacks during authentication comparisons. How to fix Timing Attack? Upgrade `hono` to version 4.11.10 or higher.	<4.11.10
M Use of Cache Containing Sensitive Information hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information via improper handling of HTTP cache control directives, including `Cache-Control: private` and `Cache-Control: no-store`. An attacker can access sensitive information by sending unauthenticated requests that receive cached responses intended for authenticated users. How to fix Use of Cache Containing Sensitive Information? Upgrade `hono` to version 4.11.7 or higher.	<4.11.7
M Incorrect Authorization hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Authorization via improper validation of user-supplied paths in the `serve-static` middleware. An attacker can access internal asset keys by crafting requests that bypass intended path restrictions. This is only exploitable if the application is running on Cloudflare Workers and uses the Serve static Middleware with user-controllable request paths. How to fix Incorrect Authorization? Upgrade `hono` to version 4.11.7 or higher.	<4.11.7
M Cross-site Scripting (XSS) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `ErrorBoundary` component of the `jsx` library, when untrusted user-controlled strings are rendered as raw HTML. An attacker can execute scripts in the victim's browser. How to fix Cross-site Scripting (XSS)? Upgrade `hono` to version 4.11.7 or higher.	<4.11.7
M Incorrect Regular Expression hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Regular Expression in the form of the `IPV4_REGEX` pattern not properly matching IPv4 octet ranges, and passing values above 255 on to `convertIPv4ToBinary`. An attacker can gain unauthorized access or bypass IP-based restrictions by submitting malicious IP addresses, such as via the `X-Forwarded-For` header. Applications that rely on these values for access control decisions are vulnerable. How to fix Incorrect Regular Expression? Upgrade `hono` to version 4.11.7 or higher.	<4.11.7
H Use of a Broken or Risky Cryptographic Algorithm hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the JWT verification middleware using unsafe default fallback algorithm. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated `alg` header values and force the middleware to use default HS256 algorithm for verification. Note: Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected. How to fix Use of a Broken or Risky Cryptographic Algorithm? Upgrade `hono` to version 4.11.4 or higher.	<4.11.4
H Improper Verification of Cryptographic Signature hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the JWT verification middleware fallback on unverified JWT header when `alg` field is not present. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated `alg` header values and force the middleware to use unsafe symmetric algorithms for verification. Note: Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected. How to fix Improper Verification of Cryptographic Signature? Upgrade `hono` to version 4.11.4 or higher.	<4.11.4
M HTTP Request Smuggling hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Request Smuggling via the CORS middleware, which copies the `Vary` header from the request to the response when the `origin` is not set to "". An attacker can influence cache behavior or cause inconsistent cross-origin resource sharing enforcement by supplying crafted `Vary` headers in requests. Note:* This is exploitable if shared caches or proxies rely on the `Vary` header for cache key calculation. How to fix HTTP Request Smuggling? Upgrade `hono` to version 4.10.3 or higher.	<4.10.3
H Unverified Ownership hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Unverified Ownership via the JWT authentication process. An attacker can gain unauthorized access to protected resources by presenting a valid token intended for a different audience when multiple services share the same issuer or keys. How to fix Unverified Ownership? Upgrade `hono` to version 4.10.2 or higher.	>=1.1.0 <4.10.2
M HTTP Request Smuggling hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Request Smuggling via the `bodyLimit` middleware when conflicting HTTP headers are present. An attacker can cause excessive memory or CPU consumption by sending oversized request bodies that bypass the configured size limit. Note: This is exploitable if the deployment environment or runtime does not reject requests with both `Content-Length` and `Transfer-Encoding: chunked` headers. How to fix HTTP Request Smuggling? Upgrade `hono` to version 4.9.7 or higher.	<4.9.7
M Cross-site Request Forgery (CSRF) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the `csrf` function. An attacker can bypass CSRF protection by sending a request without a Content-Type header. How to fix Cross-site Request Forgery (CSRF)? Upgrade `hono` to version 4.6.5 or higher.	<4.6.5
L Cross-Site Request Forgery (CSRF) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the `isRequestedByFormElementRe` function. An attacker can bypass CSRF protection by using a crafted Content-Type header with case manipulation. How to fix Cross-Site Request Forgery (CSRF)? Upgrade `hono` to version 4.5.8 or higher.	<4.5.8
M Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') such that when using `serveStatic` with deno, it is possible to traverse the directory where `main.ts` is located, leading to the retrieval of unexpected files. How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')? Upgrade `hono` to version 4.2.7 or higher.	<4.2.7

Vulnerability

Vulnerable Version

Prototype Pollution

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Prototype Pollution in parseBody(), when the dot option is enabled. An attacker can supply objects with __proto__ properties, which may later be merged by other functions in the application, polluting their prototypes.

How to fix Prototype Pollution?

Upgrade hono to version 4.12.7 or higher.

<4.12.7

CRLF Injection

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to CRLF Injection via the writeSSE function when untrusted input containing carriage return or newline characters is passed to the event, id, or retry fields. An attacker can inject additional Server-Sent Events (SSE) fields within the same event frame by supplying specially crafted input.

How to fix CRLF Injection?

Upgrade hono to version 4.12.4 or higher.

>=3.8.0 <4.12.4

Improper Handling of URL Encoding (Hex Encoding)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Handling of URL Encoding (Hex Encoding) via inconsistent URL decoding between the serveStatic process and route-based middleware protections. An attacker can access protected static resources without authorization by requesting paths with encoded slashes - e.g. /admin%2Fsecret.html.

Note: This vulnerability specifically affects applications that rely solely on route-based middleware to protect static subpaths.

How to fix Improper Handling of URL Encoding (Hex Encoding)?

Upgrade hono to version 4.12.4 or higher.

<4.12.4

CRLF Injection

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to CRLF Injection via the setCookie() utility. An attacker can inject unauthorized cookie attributes by supplying specially crafted input containing semicolons, carriage returns, or newline characters in the domain or path fields.

Notes:

Successful exploitation requires the application to pass user-controlled input directly into the domain or path options of setCookie()
This issue is limited to attribute-level manipulation within a single Set-Cookie header.

How to fix CRLF Injection?

Upgrade hono to version 4.12.4 or higher.

>=0.2.1 <4.12.4

Timing Attack

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Timing Attack via the timingSafeEqual() function. An attacker can infer sensitive information by performing timing analysis attacks during authentication comparisons.

How to fix Timing Attack?

Upgrade hono to version 4.11.10 or higher.

<4.11.10

Use of Cache Containing Sensitive Information

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information via improper handling of HTTP cache control directives, including Cache-Control: private and Cache-Control: no-store. An attacker can access sensitive information by sending unauthenticated requests that receive cached responses intended for authenticated users.

How to fix Use of Cache Containing Sensitive Information?

Upgrade hono to version 4.11.7 or higher.

<4.11.7

Incorrect Authorization

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Incorrect Authorization via improper validation of user-supplied paths in the serve-static middleware. An attacker can access internal asset keys by crafting requests that bypass intended path restrictions. This is only exploitable if the application is running on Cloudflare Workers and uses the Serve static Middleware with user-controllable request paths.

How to fix Incorrect Authorization?

Upgrade hono to version 4.11.7 or higher.

<4.11.7

Cross-site Scripting (XSS)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ErrorBoundary component of the jsx library, when untrusted user-controlled strings are rendered as raw HTML. An attacker can execute scripts in the victim's browser.

How to fix Cross-site Scripting (XSS)?

Upgrade hono to version 4.11.7 or higher.

<4.11.7

Incorrect Regular Expression

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Incorrect Regular Expression in the form of the IPV4_REGEX pattern not properly matching IPv4 octet ranges, and passing values above 255 on to convertIPv4ToBinary. An attacker can gain unauthorized access or bypass IP-based restrictions by submitting malicious IP addresses, such as via the X-Forwarded-For header. Applications that rely on these values for access control decisions are vulnerable.

How to fix Incorrect Regular Expression?

Upgrade hono to version 4.11.7 or higher.

<4.11.7

Use of a Broken or Risky Cryptographic Algorithm

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the JWT verification middleware using unsafe default fallback algorithm. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated alg header values and force the middleware to use default HS256 algorithm for verification.

Note:

Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected.

How to fix Use of a Broken or Risky Cryptographic Algorithm?

Upgrade hono to version 4.11.4 or higher.

<4.11.4

Improper Verification of Cryptographic Signature

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the JWT verification middleware fallback on unverified JWT header when alg field is not present. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated alg header values and force the middleware to use unsafe symmetric algorithms for verification.

Note:

Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected.

How to fix Improper Verification of Cryptographic Signature?

Upgrade hono to version 4.11.4 or higher.

<4.11.4

HTTP Request Smuggling

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Request Smuggling via the CORS middleware, which copies the Vary header from the request to the response when the origin is not set to "*". An attacker can influence cache behavior or cause inconsistent cross-origin resource sharing enforcement by supplying crafted Vary headers in requests.

Note: This is exploitable if shared caches or proxies rely on the Vary header for cache key calculation.

How to fix HTTP Request Smuggling?

Upgrade hono to version 4.10.3 or higher.

<4.10.3

Unverified Ownership

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Unverified Ownership via the JWT authentication process. An attacker can gain unauthorized access to protected resources by presenting a valid token intended for a different audience when multiple services share the same issuer or keys.

How to fix Unverified Ownership?

Upgrade hono to version 4.10.2 or higher.

>=1.1.0 <4.10.2

HTTP Request Smuggling

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Request Smuggling via the bodyLimit middleware when conflicting HTTP headers are present. An attacker can cause excessive memory or CPU consumption by sending oversized request bodies that bypass the configured size limit.

Note: This is exploitable if the deployment environment or runtime does not reject requests with both Content-Length and Transfer-Encoding: chunked headers.

How to fix HTTP Request Smuggling?

Upgrade hono to version 4.9.7 or higher.

<4.9.7

Cross-site Request Forgery (CSRF)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the csrf function. An attacker can bypass CSRF protection by sending a request without a Content-Type header.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade hono to version 4.6.5 or higher.

<4.6.5

Cross-Site Request Forgery (CSRF)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the isRequestedByFormElementRe function. An attacker can bypass CSRF protection by using a crafted Content-Type header with case manipulation.

How to fix Cross-Site Request Forgery (CSRF)?

Upgrade hono to version 4.5.8 or higher.

<4.5.8

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') such that when using serveStatic with deno, it is possible to traverse the directory where main.ts is located, leading to the retrieval of unexpected files.

How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')?

Upgrade hono to version 4.2.7 or higher.

<4.2.7

hono@4.0.5 vulnerabilities

Web framework built on Web Standards

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically