hono 4.12.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the hono package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Prototype Pollution hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Prototype Pollution in `parseBody()`, when the `dot` option is enabled. An attacker can supply objects with `__proto__` properties, which may later be merged by other functions in the application, polluting their prototypes. How to fix Prototype Pollution? Upgrade `hono` to version 4.12.7 or higher.	<4.12.7
M CRLF Injection hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to CRLF Injection via the `writeSSE` function when untrusted input containing carriage return or newline characters is passed to the `event`, `id`, or `retry` fields. An attacker can inject additional Server-Sent Events (SSE) fields within the same event frame by supplying specially crafted input. How to fix CRLF Injection? Upgrade `hono` to version 4.12.4 or higher.	>=3.8.0 <4.12.4
M Improper Handling of URL Encoding (Hex Encoding) hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Handling of URL Encoding (Hex Encoding) via inconsistent URL decoding between the `serveStatic` process and route-based middleware protections. An attacker can access protected static resources without authorization by requesting paths with encoded slashes - e.g. `/admin%2Fsecret.html`. Note: This vulnerability specifically affects applications that rely solely on route-based middleware to protect static subpaths. How to fix Improper Handling of URL Encoding (Hex Encoding)? Upgrade `hono` to version 4.12.4 or higher.	<4.12.4
M CRLF Injection hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to CRLF Injection via the `setCookie()` utility. An attacker can inject unauthorized cookie attributes by supplying specially crafted input containing semicolons, carriage returns, or newline characters in the domain or path fields. Notes: Successful exploitation requires the application to pass user-controlled input directly into the `domain` or `path` options of `setCookie()` This issue is limited to attribute-level manipulation within a single Set-Cookie header. How to fix CRLF Injection? Upgrade `hono` to version 4.12.4 or higher.	>=0.2.1 <4.12.4

Vulnerability

Vulnerable Version

Prototype Pollution

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Prototype Pollution in parseBody(), when the dot option is enabled. An attacker can supply objects with __proto__ properties, which may later be merged by other functions in the application, polluting their prototypes.

How to fix Prototype Pollution?

Upgrade hono to version 4.12.7 or higher.

<4.12.7

CRLF Injection

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to CRLF Injection via the writeSSE function when untrusted input containing carriage return or newline characters is passed to the event, id, or retry fields. An attacker can inject additional Server-Sent Events (SSE) fields within the same event frame by supplying specially crafted input.

How to fix CRLF Injection?

Upgrade hono to version 4.12.4 or higher.

>=3.8.0 <4.12.4

Improper Handling of URL Encoding (Hex Encoding)

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to Improper Handling of URL Encoding (Hex Encoding) via inconsistent URL decoding between the serveStatic process and route-based middleware protections. An attacker can access protected static resources without authorization by requesting paths with encoded slashes - e.g. /admin%2Fsecret.html.

Note: This vulnerability specifically affects applications that rely solely on route-based middleware to protect static subpaths.

How to fix Improper Handling of URL Encoding (Hex Encoding)?

Upgrade hono to version 4.12.4 or higher.

<4.12.4

CRLF Injection

hono is an Ultrafast web framework for the Edges

Affected versions of this package are vulnerable to CRLF Injection via the setCookie() utility. An attacker can inject unauthorized cookie attributes by supplying specially crafted input containing semicolons, carriage returns, or newline characters in the domain or path fields.

Notes:

Successful exploitation requires the application to pass user-controlled input directly into the domain or path options of setCookie()
This issue is limited to attribute-level manipulation within a single Set-Cookie header.

How to fix CRLF Injection?

Upgrade hono to version 4.12.4 or higher.

>=0.2.1 <4.12.4

hono@4.12.2 vulnerabilities

Web framework built on Web Standards

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically