Homepage

hono@4.12.17

Web framework built on Web Standards

  • latest version

    4.12.18

  • latest non vulnerable version

    4.12.18

  • first published

    4 years ago

  • latest version published

    9 days ago

  • licenses detected

  • View hono package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the hono package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Use of Cache Containing Sensitive Information

    hono is an Ultrafast web framework for the Edges

    Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information through the cache process in the cache middleware. An attacker can cause responses to be cached or served incorrectly by sending requests that elicit Vary headers, Authorization headers, or non-GET methods. As a result, users can receive stale or cross-request content, and authenticated or method-specific responses can be stored or reused in ways that break application behavior and expose the wrong response body.

    Workarounds

    • Avoid using the cache middleware on endpoints that return authenticated or per-user content unless you can mark those responses as non-cacheable; this prevents cross-user cache leakage and stale user-specific bodies.

    How to fix Use of Cache Containing Sensitive Information?

    Upgrade hono to version 4.12.18 or higher.

    >=2.0.3 <4.12.18
    • M
    Improper Validation of Specified Quantity in Input

    hono is an Ultrafast web framework for the Edges

    Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input through the verify function in the JWT component. An attacker can supply a signed token with malformed nbf, exp, or iat claims, including non-numeric values or non-finite numbers such as 1e400, to have the claims skipped during validation and use a token that should be rejected. This lets an attacker present tokens with invalid time-based claims and gain unauthorized access to protected JWT-backed functionality.

    Note: This is only exploitable if the attacker can issue tokens accepted by the application or has control over the signing key.

    How to fix Improper Validation of Specified Quantity in Input?

    Upgrade hono to version 4.12.18 or higher.

    >=1.1.0 <4.12.18
    • M
    Improper Encoding or Escaping of Output

    hono is an Ultrafast web framework for the Edges

    Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output the styleObjectForEach and jsxAttr style serialization paths in the JSX runtime. An attacker can inject arbitrary CSS declarations by supplying crafted style object values or property names containing declaration separators such as ;, comments, braces, or other CSS syntax, causing the generated style attribute to include attacker-controlled rules. When application code renders untrusted style objects, the injected CSS can override the page's layout and presentation, hide or reposition content, and load attacker-controlled resources in the victim’s browser, but does not enable JavaScript execution or HTML attribute breakout.

    How to fix Improper Encoding or Escaping of Output?

    Upgrade hono to version 4.12.18 or higher.

    >=4.3.0 <4.12.18
    Go back to all versions of this package