hono 4.12.11

Direct Vulnerabilities

Known vulnerabilities in the hono package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `jsxAttr()` and JSX attribute rendering paths in `src/jsx/jsx-runtime.ts`, `src/jsx/base.ts`, and `src/jsx/dom/render.ts`. An attacker can inject executable markup by supplying a crafted attribute name such as one containing quotes, angle brackets, or spaces through JSX props or spread attributes. This lets untrusted input break out of the intended attribute context during server-rendered output or DOM updates, leading to script execution in the user’s browser and compromising the affected page. How to fix Cross-site Scripting (XSS)? Upgrade `hono` to version 4.12.14 or higher.	<4.12.14
M Incorrect Behavior Order: Validate Before Canonicalize hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the `ipRestriction` function. An attacker can bypass access restrictions by sending requests from IPv4-mapped IPv6 addresses, which are not properly matched against IPv4 allow or deny rules. How to fix Incorrect Behavior Order: Validate Before Canonicalize? Upgrade `hono` to version 4.12.12 or higher.	<4.12.12
M Directory Traversal hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal in the `toSSG` function when handling dynamic route parameters provided via `ssgParams`. An attacker can cause files to be written outside the intended output directory by supplying specially crafted values containing traversal sequences during static site generation. Note: This is only exploitable if an attacker can influence the values passed to `ssgParams` during the build process. How to fix Directory Traversal? Upgrade `hono` to version 4.12.12 or higher.	>=4.0.0 <4.12.12
M Improper Input Validation hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Input Validation via the `getCookie` function. An attacker can override legitimate cookies and bypass prefix protections by setting cookies with non-breaking space prefixes, leading to potential session fixation or hijacking. How to fix Improper Input Validation? Upgrade `hono` to version 4.12.12 or higher.	<4.12.12
M HTTP Response Splitting hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the `setCookie` function. An attacker can cause runtime errors and potentially disrupt application behavior by supplying specially crafted input as the cookie name, leading to malformed `Set-Cookie` header values. How to fix HTTP Response Splitting? Upgrade `hono` to version 4.12.12 or higher.	<4.12.12
M Directory Traversal hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the `serveStatic` function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated slashes, thereby bypassing authorization checks. How to fix Directory Traversal? Upgrade `hono` to version 4.12.12 or higher.	<4.12.12

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the jsxAttr() and JSX attribute rendering paths in src/jsx/jsx-runtime.ts, src/jsx/base.ts, and src/jsx/dom/render.ts. An attacker can inject executable markup by supplying a crafted attribute name such as one containing quotes, angle brackets, or spaces through JSX props or spread attributes. This lets untrusted input break out of the intended attribute context during server-rendered output or DOM updates, leading to script execution in the user’s browser and compromising the affected page.

How to fix Cross-site Scripting (XSS)?

Upgrade hono to version 4.12.14 or higher.

<4.12.14

Incorrect Behavior Order: Validate Before Canonicalize

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the ipRestriction function. An attacker can bypass access restrictions by sending requests from IPv4-mapped IPv6 addresses, which are not properly matched against IPv4 allow or deny rules.

How to fix Incorrect Behavior Order: Validate Before Canonicalize?

Upgrade hono to version 4.12.12 or higher.

<4.12.12

Directory Traversal

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Directory Traversal in the toSSG function when handling dynamic route parameters provided via ssgParams. An attacker can cause files to be written outside the intended output directory by supplying specially crafted values containing traversal sequences during static site generation.

Note:

This is only exploitable if an attacker can influence the values passed to ssgParams during the build process.

How to fix Directory Traversal?

Upgrade hono to version 4.12.12 or higher.

>=4.0.0 <4.12.12

Improper Input Validation

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Input Validation via the getCookie function. An attacker can override legitimate cookies and bypass prefix protections by setting cookies with non-breaking space prefixes, leading to potential session fixation or hijacking.

How to fix Improper Input Validation?

Upgrade hono to version 4.12.12 or higher.

<4.12.12

HTTP Response Splitting

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to HTTP Response Splitting via the setCookie function. An attacker can cause runtime errors and potentially disrupt application behavior by supplying specially crafted input as the cookie name, leading to malformed Set-Cookie header values.

How to fix HTTP Response Splitting?

Upgrade hono to version 4.12.12 or higher.

<4.12.12

Directory Traversal

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated slashes, thereby bypassing authorization checks.

How to fix Directory Traversal?

Upgrade hono to version 4.12.12 or higher.

<4.12.12

hono@4.12.11

Web framework built on Web Standards

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically