hono@4.0.5

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the AWS Lambda adapter's handling of multiple Set-Cookie headers. An attacker can cause clients to drop or misinterpret cookies by triggering responses that set multiple cookies, leading to broken sessions, forced re-authentication, or failure of preference and CSRF cookies. This is only exploitable if the application is deployed on AWS Lambda behind an ALB in single-header mode or VPC Lattice v2.

Upgrade hono to version 4.12.25 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Directory Traversal via the serve-static method on Windows hosts when an encoded backslash (%5C) in the request path is decoded to \, which is treated as a separator by the Windows path resolver. An attacker can access static files that are intended to be protected behind prefix-mounted middleware by crafting a request path containing an encoded backslash.

Upgrade hono to version 4.12.25 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard in the Lambda@Edge adapter that truncates repeated request headers. An attacker can bypass access restrictions or affect auditing mechanisms by sending repeated request headers, causing only the last value to be processed and earlier values to be ignored.

Upgrade hono to version 4.12.25 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the Body Limit Middleware. An attacker can cause the application to process payloads larger than the configured maximum by understating the Content-Length header in requests on AWS Lambda environments, leading to increased CPU and memory usage per request.

Upgrade hono to version 4.12.25 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Incorrect Regular Expression via the ip-restriction middleware. An attacker can bypass configured deny rules for IPv6 addresses by submitting non-canonical representations, such as compressed or explicit-zero forms, causing the rule to be skipped.

Upgrade hono to version 4.12.21 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Response Splitting via the serialize function. An attacker can inject arbitrary attributes into the Set-Cookie response header by supplying crafted input to the sameSite or priority options.

Upgrade hono to version 4.12.21 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Authorization via the jwt middleware when the Authorization header uses any scheme, not just Bearer. An attacker can gain unauthorized access by presenting a valid JWT under a non-Bearer scheme identifier.

Upgrade hono to version 4.12.21 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Request Smuggling via the app.mount function. An attacker can access unintended routes or resources by sending requests with percent-encoded multi-byte characters in the URL path, leading to incorrect routing.

Upgrade hono to version 4.12.21 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information through the cache process in the cache middleware. An attacker can cause responses to be cached or served incorrectly by sending requests that elicit Vary headers, Authorization headers, or non-GET methods. As a result, users can receive stale or cross-request content, and authenticated or method-specific responses can be stored or reused in ways that break application behavior and expose the wrong response body.

Workarounds

• Avoid using the cache middleware on endpoints that return authenticated or per-user content unless you can mark those responses as non-cacheable; this prevents cross-user cache leakage and stale user-specific bodies.

Upgrade hono to version 4.12.18 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input through the verify function in the JWT component. An attacker can supply a signed token with malformed nbf, exp, or iat claims, including non-numeric values or non-finite numbers such as 1e400, to have the claims skipped during validation and use a token that should be rejected. This lets an attacker present tokens with invalid time-based claims and gain unauthorized access to protected JWT-backed functionality.

Note: This is only exploitable if the attacker can issue tokens accepted by the application or has control over the signing key.

Upgrade hono to version 4.12.18 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTML Injection via the jsx element tag. An attacker can inject unintended HTML elements or attributes, corrupt the HTML structure, or execute scripts by supplying malicious tag names as input to the rendering process.

Note: This is only exploitable if applications construct JSX tag names from untrusted input; applications using static or allowlisted tag names are not affected.

Upgrade hono to version 4.12.16 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the bodyLimit function. An attacker can bypass request size restrictions by sending chunked or unknown-length requests, allowing oversized payloads to reach application handlers and potentially receive successful responses before the size check is enforced.

Upgrade hono to version 4.12.16 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the jsxAttr() and JSX attribute rendering paths in src/jsx/jsx-runtime.ts, src/jsx/base.ts, and src/jsx/dom/render.ts. An attacker can inject executable markup by supplying a crafted attribute name such as one containing quotes, angle brackets, or spaces through JSX props or spread attributes. This lets untrusted input break out of the intended attribute context during server-rendered output or DOM updates, leading to script execution in the user’s browser and compromising the affected page.

Upgrade hono to version 4.12.14 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the ipRestriction function. An attacker can bypass access restrictions by sending requests from IPv4-mapped IPv6 addresses, which are not properly matched against IPv4 allow or deny rules.

Upgrade hono to version 4.12.12 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Directory Traversal in the toSSG function when handling dynamic route parameters provided via ssgParams. An attacker can cause files to be written outside the intended output directory by supplying specially crafted values containing traversal sequences during static site generation.

Note:

This is only exploitable if an attacker can influence the values passed to ssgParams during the build process.

Upgrade hono to version 4.12.12 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Input Validation via the getCookie function. An attacker can override legitimate cookies and bypass prefix protections by setting cookies with non-breaking space prefixes, leading to potential session fixation or hijacking.

Upgrade hono to version 4.12.12 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Response Splitting via the setCookie function. An attacker can cause runtime errors and potentially disrupt application behavior by supplying specially crafted input as the cookie name, leading to malformed Set-Cookie header values.

Upgrade hono to version 4.12.12 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated slashes, thereby bypassing authorization checks.

Upgrade hono to version 4.12.12 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Prototype Pollution in parseBody(), when the dot option is enabled. An attacker can supply objects with __proto__ properties, which may later be merged by other functions in the application, polluting their prototypes.

Upgrade hono to version 4.12.7 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to CRLF Injection via the writeSSE function when untrusted input containing carriage return or newline characters is passed to the event, id, or retry fields. An attacker can inject additional Server-Sent Events (SSE) fields within the same event frame by supplying specially crafted input.

Upgrade hono to version 4.12.4 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Handling of URL Encoding (Hex Encoding) via inconsistent URL decoding between the serveStatic process and route-based middleware protections. An attacker can access protected static resources without authorization by requesting paths with encoded slashes - e.g. /admin%2Fsecret.html.

Note: This vulnerability specifically affects applications that rely solely on route-based middleware to protect static subpaths.

Upgrade hono to version 4.12.4 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to CRLF Injection via the setCookie() utility. An attacker can inject unauthorized cookie attributes by supplying specially crafted input containing semicolons, carriage returns, or newline characters in the domain or path fields.

Notes:

• Successful exploitation requires the application to pass user-controlled input directly into the domain or path options of setCookie()
• This issue is limited to attribute-level manipulation within a single Set-Cookie header.

Upgrade hono to version 4.12.4 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Timing Attack via the timingSafeEqual() function. An attacker can infer sensitive information by performing timing analysis attacks during authentication comparisons.

Upgrade hono to version 4.11.10 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information via improper handling of HTTP cache control directives, including Cache-Control: private and Cache-Control: no-store. An attacker can access sensitive information by sending unauthenticated requests that receive cached responses intended for authenticated users.

Upgrade hono to version 4.11.7 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Incorrect Authorization via improper validation of user-supplied paths in the serve-static middleware. An attacker can access internal asset keys by crafting requests that bypass intended path restrictions. This is only exploitable if the application is running on Cloudflare Workers and uses the Serve static Middleware with user-controllable request paths.

Upgrade hono to version 4.11.7 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ErrorBoundary component of the jsx library, when untrusted user-controlled strings are rendered as raw HTML. An attacker can execute scripts in the victim's browser.

Upgrade hono to version 4.11.7 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Incorrect Regular Expression in the form of the IPV4_REGEX pattern not properly matching IPv4 octet ranges, and passing values above 255 on to convertIPv4ToBinary. An attacker can gain unauthorized access or bypass IP-based restrictions by submitting malicious IP addresses, such as via the X-Forwarded-For header. Applications that rely on these values for access control decisions are vulnerable.

Upgrade hono to version 4.11.7 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the JWT verification middleware using unsafe default fallback algorithm. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated alg header values and force the middleware to use default HS256 algorithm for verification.

Note:

Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected.

Upgrade hono to version 4.11.4 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the JWT verification middleware fallback on unverified JWT header when alg field is not present. An attacker can gain unauthorized access or escalate privileges by crafting JWTs with manipulated alg header values and force the middleware to use unsafe symmetric algorithms for verification.

Note:

Users that configured their app without JWK/JWKS middleware or explicitly restrict allowed algorithms are not affected.

Upgrade hono to version 4.11.4 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Request Smuggling via the CORS middleware, which copies the Vary header from the request to the response when the origin is not set to "*". An attacker can influence cache behavior or cause inconsistent cross-origin resource sharing enforcement by supplying crafted Vary headers in requests.

Note: This is exploitable if shared caches or proxies rely on the Vary header for cache key calculation.

Upgrade hono to version 4.10.3 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Unverified Ownership via the JWT authentication process. An attacker can gain unauthorized access to protected resources by presenting a valid token intended for a different audience when multiple services share the same issuer or keys.

Upgrade hono to version 4.10.2 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Request Smuggling via the bodyLimit middleware when conflicting HTTP headers are present. An attacker can cause excessive memory or CPU consumption by sending oversized request bodies that bypass the configured size limit.

Note: This is exploitable if the deployment environment or runtime does not reject requests with both Content-Length and Transfer-Encoding: chunked headers.

Upgrade hono to version 4.9.7 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the csrf function. An attacker can bypass CSRF protection by sending a request without a Content-Type header.

Upgrade hono to version 4.6.5 or higher.

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the isRequestedByFormElementRe function. An attacker can bypass CSRF protection by using a crafted Content-Type header with case manipulation.

Upgrade hono to version 4.5.8 or higher.