hono
50 known vulnerabilities · 0 critical · 0 high
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
Hono allows bypass of CSRF Middleware by a request without Content-Type header.
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()
Hono CSRF middleware can be bypassed using crafted Content-Type header
Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
Hono added timing comparison hardening in basicAuth and bearerAuth
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()
Hono missing validation of cookie name on write path in setCookie()
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
Hono: Middleware bypass via repeated slashes in serveStatic
Hono vulnerable to arbitrary file access via serveStatic vulnerability
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
Hono: Path traversal in toSSG() allows writing files outside the output directory
Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
@hono/node-server: Middleware bypass via repeated slashes in serveStatic
OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs
@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
Malicious code in autotel-hono (npm)
The `size` option isn't honored after following a redirect in node-fetch
Malicious code in rce-poc-test-honor-dev (npm)
Malicious code in rce-poc-test-honor-mcp (npm)
Malicious code in @phonos/types (npm)
Malicious code in @mastra/hono (npm)
Malicious code in @trpc-rate-limiter/hono (npm)