hono 4.0.8 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the hono package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Unverified Ownership hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Unverified Ownership via the JWT authentication process. An attacker can gain unauthorized access to protected resources by presenting a valid token intended for a different audience when multiple services share the same issuer or keys. How to fix Unverified Ownership? Upgrade `hono` to version 4.10.2 or higher.	>=1.1.0 <4.10.2
M HTTP Request Smuggling hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Request Smuggling via the `bodyLimit` middleware when conflicting HTTP headers are present. An attacker can cause excessive memory or CPU consumption by sending oversized request bodies that bypass the configured size limit. Note: This is exploitable if the deployment environment or runtime does not reject requests with both `Content-Length` and `Transfer-Encoding: chunked` headers. How to fix HTTP Request Smuggling? Upgrade `hono` to version 4.9.7 or higher.	<4.9.7
M Cross-site Request Forgery (CSRF) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the `csrf` function. An attacker can bypass CSRF protection by sending a request without a Content-Type header. How to fix Cross-site Request Forgery (CSRF)? Upgrade `hono` to version 4.6.5 or higher.	<4.6.5
L Cross-Site Request Forgery (CSRF) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the `isRequestedByFormElementRe` function. An attacker can bypass CSRF protection by using a crafted Content-Type header with case manipulation. How to fix Cross-Site Request Forgery (CSRF)? Upgrade `hono` to version 4.5.8 or higher.	<4.5.8
M Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') such that when using `serveStatic` with deno, it is possible to traverse the directory where `main.ts` is located, leading to the retrieval of unexpected files. How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')? Upgrade `hono` to version 4.2.7 or higher.	<4.2.7

Vulnerability

Vulnerable Version

Unverified Ownership

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Unverified Ownership via the JWT authentication process. An attacker can gain unauthorized access to protected resources by presenting a valid token intended for a different audience when multiple services share the same issuer or keys.

How to fix Unverified Ownership?

Upgrade hono to version 4.10.2 or higher.

>=1.1.0 <4.10.2

HTTP Request Smuggling

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Request Smuggling via the bodyLimit middleware when conflicting HTTP headers are present. An attacker can cause excessive memory or CPU consumption by sending oversized request bodies that bypass the configured size limit.

Note: This is exploitable if the deployment environment or runtime does not reject requests with both Content-Length and Transfer-Encoding: chunked headers.

How to fix HTTP Request Smuggling?

Upgrade hono to version 4.9.7 or higher.

<4.9.7

Cross-site Request Forgery (CSRF)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the csrf function. An attacker can bypass CSRF protection by sending a request without a Content-Type header.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade hono to version 4.6.5 or higher.

<4.6.5

Cross-Site Request Forgery (CSRF)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the isRequestedByFormElementRe function. An attacker can bypass CSRF protection by using a crafted Content-Type header with case manipulation.

How to fix Cross-Site Request Forgery (CSRF)?

Upgrade hono to version 4.5.8 or higher.

<4.5.8

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') such that when using serveStatic with deno, it is possible to traverse the directory where main.ts is located, leading to the retrieval of unexpected files.

How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')?

Upgrade hono to version 4.2.7 or higher.

<4.2.7

hono@4.0.8 vulnerabilities

Web framework built on Web Standards

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically