By vendor
Hono vulnerabilities
Known CVEs affecting Hono products, prioritized by severity, with SEC.co remediation and detection guidance.
4 published vulnerabilities
- CVE-2026-47674MEDIUM 5.3
Hono's IP-restriction middleware, a security component designed to enforce access control by allowing or denying traffic based on IP address rules, contains a flaw in how it compares incoming IP addresses against configured rules. The vulnerability exists because the middleware only performs partial normalization of IPv6 addresses before comparing them to stored rules. When an attacker sends a request using an alternative representation of an IPv6 address—such as compressed notation, explicit-zero forms, or IPv4-mapped hex notation—the middleware fails to recognize it as matching a rule, silently skipping the check. This allows traffic that should be blocked to pass through, or blocks traffic that should be allowed, depending on rule configuration. The flaw affects Hono versions prior to 4.12.21.
- CVE-2026-47676MEDIUM 5.3
Hono, a JavaScript web framework, contains a path handling vulnerability in versions before 4.12.21 that affects how mounted sub-applications receive requests. When URLs contain percent-encoded characters (like %C3%A9 for é), the framework strips the mount prefix incorrectly, causing the sub-application to see a mangled path. This can lead to requests being routed to unintended endpoints or exposing sensitive information through path confusion.
- CVE-2026-47673MEDIUM 4.8
Hono, a JavaScript Web application framework, contains a flaw in its JWT authentication middleware that fails to enforce the Bearer scheme requirement. Prior to version 4.12.21, the jwt and jwk middlewares accept any two-part Authorization header value—regardless of whether it uses Bearer, Basic, Token, or any other scheme name—and proceed directly to JWT verification if the token is valid. This means an attacker could authenticate by presenting a valid JWT under an incorrect scheme (like Basic auth) and gain the same access as a properly formatted Bearer token request. The vulnerability is fixed in version 4.12.21.
- CVE-2026-47675MEDIUM 4.3
Hono, a JavaScript web framework, contains a flaw in how it sanitizes cookie options. While the framework validates certain cookie parameters (domain and path) to prevent malicious characters from breaking the Set-Cookie header, it fails to apply the same checks to sameSite and priority options. If an application passes user-controlled input directly into these parameters, an attacker could inject additional cookie attributes into the response header, potentially manipulating cookie behavior or setting unintended security policies.