hono@4.12.24

Web framework built on Web Standards

  • latest version

    4.12.27

  • latest non vulnerable version

  • first published

    4 years ago

  • latest version published

    11 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the hono package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Permissive Cross-domain Policy with Untrusted Domains

    hono is an Ultrafast web framework for the Edges

    Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains in the CORS middleware. An attacker can access sensitive information and perform unauthorized actions by sending cross-origin requests with credentials from arbitrary origins. This is only exploitable if the application enables credentials and leaves the origin unset or set to the wildcard.

    How to fix Permissive Cross-domain Policy with Untrusted Domains?

    Upgrade hono to version 4.12.25 or higher.

    <4.12.25
    • M
    Improper Encoding or Escaping of Output

    hono is an Ultrafast web framework for the Edges

    Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the AWS Lambda adapter's handling of multiple Set-Cookie headers. An attacker can cause clients to drop or misinterpret cookies by triggering responses that set multiple cookies, leading to broken sessions, forced re-authentication, or failure of preference and CSRF cookies. This is only exploitable if the application is deployed on AWS Lambda behind an ALB in single-header mode or VPC Lattice v2.

    How to fix Improper Encoding or Escaping of Output?

    Upgrade hono to version 4.12.25 or higher.

    <4.12.25
    • H
    Directory Traversal

    hono is an Ultrafast web framework for the Edges

    Affected versions of this package are vulnerable to Directory Traversal via the serve-static method on Windows hosts when an encoded backslash (%5C) in the request path is decoded to \, which is treated as a separator by the Windows path resolver. An attacker can access static files that are intended to be protected behind prefix-mounted middleware by crafting a request path containing an encoded backslash.

    How to fix Directory Traversal?

    Upgrade hono to version 4.12.25 or higher.

    <4.12.25
    • M
    Improperly Implemented Security Check for Standard

    hono is an Ultrafast web framework for the Edges

    Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard in the Lambda@Edge adapter that truncates repeated request headers. An attacker can bypass access restrictions or affect auditing mechanisms by sending repeated request headers, causing only the last value to be processed and earlier values to be ignored.

    How to fix Improperly Implemented Security Check for Standard?

    Upgrade hono to version 4.12.25 or higher.

    <4.12.25
    • M
    Insufficient Verification of Data Authenticity

    hono is an Ultrafast web framework for the Edges

    Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the Body Limit Middleware. An attacker can cause the application to process payloads larger than the configured maximum by understating the Content-Length header in requests on AWS Lambda environments, leading to increased CPU and memory usage per request.

    How to fix Insufficient Verification of Data Authenticity?

    Upgrade hono to version 4.12.25 or higher.

    <4.12.25