Improper Validation of Specified Quantity in Input Affecting hono package, versions >=1.1.0 <4.12.18
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-HONO-16624529
- published10 May 2026
- disclosed9 May 2026
- creditAdmirBajric
Introduced: 9 May 2026
NewCVE-2026-44459 (opens in a new tab)How to fix?
Upgrade hono to version 4.12.18 or higher.
Overview
hono is an Ultrafast web framework for the Edges
Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input through the verify function in the JWT component. An attacker can supply a signed token with malformed nbf, exp, or iat claims, including non-numeric values or non-finite numbers such as 1e400, to have the claims skipped during validation and use a token that should be rejected. This lets an attacker present tokens with invalid time-based claims and gain unauthorized access to protected JWT-backed functionality.
Note: This is only exploitable if the attacker can issue tokens accepted by the application or has control over the signing key.