467 matches found
ROOT-APP-NPM-CVE-2026-44457 CVE-2026-44457 in @rootio/hono - Patched by Root
Root has patched CVE-2026-44457 in the @rootio/hono package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-44455 CVE-2026-44455 in @rootio/hono - Patched by Root
Root has patched CVE-2026-44455 in the @rootio/hono package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-44458 CVE-2026-44458 in @rootio/hono - Patched by Root
Root has patched CVE-2026-44458 in the @rootio/hono package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-44456 CVE-2026-44456 in @rootio/hono - Patched by Root
Root has patched CVE-2026-44456 in the @rootio/hono package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-29086 CVE-2026-29086 in @rootio/hono - Patched by Root
Root has patched CVE-2026-29086 in the @rootio/hono package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-29045 CVE-2026-29045 in @rootio/hono - Patched by Root
Root has patched CVE-2026-29045 in the @rootio/hono package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-29085 CVE-2026-29085 in @rootio/hono - Patched by Root
Root has patched CVE-2026-29085 in the @rootio/hono package for Root:npm. Multiple fixed versions available...
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Summary app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte...
EUVD-2026-32924
Hono: app.mount strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths...
EUVD-2026-32926
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6...
EUVD-2026-32925
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection...
GHSA-3HRH-PFW6-9M5X Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
Summary The serialize function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax ;, \r, \n, but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a...
EUVD-2026-32927
Hono: JWT middleware accepts any Authorization scheme, not only Bearer...
GHSA-F577-QRJJ-4474 Hono: JWT middleware accepts any Authorization scheme, not only Bearer
Summary The jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier such a...
CVE-2026-47674
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware hono/ip-restriction compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6...
CVE-2026-47673
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds t...
Incorrect Regular Expression
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Regular Expression via the ip-restriction middleware. An attacker can bypass configured deny rules for IPv6 addresses by submitting non-canonical representations, such as...
HTTP Response Splitting
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the serialize function. An attacker can inject arbitrary attributes into the Set-Cookie response header by supplying crafted input to the sameSite or priority...
Improper Authorization
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Authorization via the jwt middleware when the Authorization header uses any scheme, not just Bearer. An attacker can gain unauthorized access by presenting a valid JWT under a...
HTTP Request Smuggling
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Request Smuggling via the app.mount function. An attacker can access unintended routes or resources by sending requests with percent-encoded multi-byte characters in the URL path,...