hono (npm) security advisories

MEDIUM 4.3

npm

CVE-2026-47675

Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Jun 4, 2026

MEDIUM 5.3

npm

CVE-2026-47674

Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

Jun 4, 2026

MEDIUM 5.3

npm

CVE-2026-47676

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Jun 4, 2026

MEDIUM 4.8

npm

CVE-2026-47673

Hono: JWT middleware accepts any Authorization scheme, not only Bearer

Jun 4, 2026

MEDIUM 5.3

npm

CVE-2026-44457

Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

May 9, 2026

LOW 3.8

npm

CVE-2026-44459

Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

May 9, 2026

MEDIUM 6.5

npm

CVE-2026-44456

Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

May 6, 2026

MEDIUM 4.7

npm

CVE-2026-44455

hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection

May 6, 2026

MEDIUM 4.3

npm

CVE-2026-44458

Hono has CSS Declaration Injection via Style Object Values in JSX SSR

May 9, 2026

MEDIUM 5.3

npm

CVE-2026-39409

Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Apr 8, 2026

MEDIUM 4.3

npm

GHSA-458j-xx4x-4375

hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR

Apr 16, 2026

MEDIUM 5.3

npm

GHSA-26pp-8wgv-hjvm

Hono missing validation of cookie name on write path in setCookie()

Apr 8, 2026

MEDIUM 4.8

npm

CVE-2026-39410

Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()

Apr 8, 2026

MEDIUM 5.3

npm

CVE-2026-39407

Hono: Middleware bypass via repeated slashes in serveStatic

Apr 8, 2026

UNKNOWN

npm

CVE-2026-39408

Hono: Path traversal in toSSG() allows writing files outside the output directory

Apr 8, 2026

MEDIUM 4.2

npm

CVE-2023-50710

Named path parameters can be overridden in TrieRouter

Dec 15, 2023

MEDIUM 5.0

npm

CVE-2024-43787

Hono CSRF middleware can be bypassed using crafted Content-Type header

Aug 22, 2024

HIGH 8.1

npm

CVE-2025-62610

Hono Improper Authorization vulnerability

Oct 22, 2025

MEDIUM 5.9

npm

CVE-2024-48913

Hono allows bypass of CSRF Middleware by a request without Content-Type header.

Oct 15, 2024

MEDIUM 5.3

npm

CVE-2025-59139

Hono has Body Limit Middleware Bypass

Sep 12, 2025

MEDIUM 5.3

npm

CVE-2024-32869

Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

Apr 23, 2024

MEDIUM 5.4

npm

CVE-2026-29086

Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Mar 4, 2026

MEDIUM 6.5

npm

CVE-2026-29085

Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()

Mar 4, 2026

HIGH 7.5

npm

CVE-2026-29045

Hono vulnerable to arbitrary file access via serveStatic vulnerability

Mar 4, 2026

MEDIUM 4.8

npm

GHSA-v8w9-8mx6-g223

Hono vulnerable to Prototype Pollution possible through proto key allowed in parseBody({ dot: true })

Mar 11, 2026

HIGH 8.2

npm

CVE-2026-27700

Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo

Feb 25, 2026

LOW 3.7

npm

GHSA-gq3j-xvxp-8hrf

Hono added timing comparison hardening in basicAuth and bearerAuth

Feb 19, 2026

MEDIUM 4.8

npm

CVE-2026-24398

Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

Jan 27, 2026

MEDIUM 4.7

npm

CVE-2026-24771

Hono vulnerable to XSS through ErrorBoundary component

Jan 28, 2026

MEDIUM 5.3

npm

CVE-2026-24473

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

Jan 27, 2026

MEDIUM 5.3

npm

CVE-2026-24472

Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception

Jan 27, 2026

HIGH 8.2

npm

CVE-2026-22817

Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass

Jan 13, 2026

HIGH 8.2

npm

CVE-2026-22818

Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)

Jan 13, 2026

MEDIUM 4.2

npm

GHSA-q7jf-gf43-6x6p

Hono vulnerable to Vary Header Injection leading to potential CORS Bypass

Oct 24, 2025

HIGH 7.5

npm

CVE-2025-58362

Hono's flaw in URL path parsing could cause path confusion

Sep 3, 2025

hono

Vulnerabilities

Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Hono: JWT middleware accepts any Authorization scheme, not only Bearer

Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection

Hono has CSS Declaration Injection via Style Object Values in JSX SSR

Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR

Hono missing validation of cookie name on write path in setCookie()

Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()

Hono: Middleware bypass via repeated slashes in serveStatic

Hono: Path traversal in toSSG() allows writing files outside the output directory

Named path parameters can be overridden in TrieRouter

Hono CSRF middleware can be bypassed using crafted Content-Type header

Hono Improper Authorization vulnerability

Hono allows bypass of CSRF Middleware by a request without Content-Type header.

Hono has Body Limit Middleware Bypass

Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()

Hono vulnerable to arbitrary file access via serveStatic vulnerability

Hono vulnerable to Prototype Pollution possible through proto key allowed in parseBody({ dot: true })

Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo

Hono added timing comparison hardening in basicAuth and bearerAuth

Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

Hono vulnerable to XSS through ErrorBoundary component

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception

Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass

Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)

Hono vulnerable to Vary Header Injection leading to potential CORS Bypass

Hono's flaw in URL path parsing could cause path confusion

Start Securing

hono

Vulnerabilities

Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Hono: JWT middleware accepts any Authorization scheme, not only Bearer

Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection

Hono has CSS Declaration Injection via Style Object Values in JSX SSR

Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR

Hono missing validation of cookie name on write path in setCookie()

Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()

Hono: Middleware bypass via repeated slashes in serveStatic

Hono: Path traversal in toSSG() allows writing files outside the output directory

Named path parameters can be overridden in TrieRouter

Hono CSRF middleware can be bypassed using crafted Content-Type header

Hono Improper Authorization vulnerability

Hono allows bypass of CSRF Middleware by a request without Content-Type header.

Hono has Body Limit Middleware Bypass

Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()

Hono vulnerable to arbitrary file access via serveStatic vulnerability

Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })

Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo

Hono added timing comparison hardening in basicAuth and bearerAuth

Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

Hono vulnerable to XSS through ErrorBoundary component

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception

Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass

Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)

Hono vulnerable to Vary Header Injection leading to potential CORS Bypass

Hono's flaw in URL path parsing could cause path confusion

Start Securing

Hono vulnerable to Prototype Pollution possible through proto key allowed in parseBody({ dot: true })