OsVault/npm/hono
npm

hono

34 known vulnerabilities · 0 critical · 0 high

CVE-2026-22818

Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)

Published Jan 13, 2026
CVE-2026-24472

Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception

Published Jan 27, 2026
GHSA-458j-xx4x-4375

hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR

Published Apr 16, 2026
CVE-2024-48913

Hono allows bypass of CSRF Middleware by a request without Content-Type header.

Published Oct 15, 2024
CVE-2026-24473

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

Published Jan 27, 2026
CVE-2025-59139

Hono has Body Limit Middleware Bypass

Published Sep 12, 2025
GHSA-xpcf-pg52-r92g

Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Published Apr 8, 2026
CVE-2026-29086

Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Published Mar 4, 2026
GHSA-r5rp-j6wh-rvv4

Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()

Published Apr 8, 2026
CVE-2024-43787MEDIUM

Hono CSRF middleware can be bypassed using crafted Content-Type header

Published Aug 22, 2024
CVE-2026-24771

Hono vulnerable to XSS through ErrorBoundary component

Published Jan 28, 2026
GHSA-gq3j-xvxp-8hrf

Hono added timing comparison hardening in basicAuth and bearerAuth

Published Feb 19, 2026
CVE-2023-50710MEDIUM

Named path parameters can be overridden in TrieRouter

Published Dec 15, 2023
GHSA-q7jf-gf43-6x6p

Hono vulnerable to Vary Header Injection leading to potential CORS Bypass

Published Oct 24, 2025
CVE-2026-24398

Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

Published Jan 27, 2026
GHSA-v8w9-8mx6-g223

Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })

Published Mar 11, 2026
CVE-2026-29085

Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()

Published Mar 4, 2026
GHSA-26pp-8wgv-hjvm

Hono missing validation of cookie name on write path in setCookie()

Published Apr 8, 2026
CVE-2024-32869MEDIUM

Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

Published Apr 23, 2024
CVE-2026-22817

Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass

Published Jan 13, 2026
CVE-2025-62610

Hono Improper Authorization vulnerability

Published Oct 22, 2025
GHSA-wmmm-f939-6g9c

Hono: Middleware bypass via repeated slashes in serveStatic

Published Apr 8, 2026
CVE-2026-29045

Hono vulnerable to arbitrary file access via serveStatic vulnerability

Published Mar 4, 2026
GHSA-xf4j-xp2r-rqqx

Hono: Path traversal in toSSG() allows writing files outside the output directory

Published Apr 8, 2026
CVE-2026-27700

Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo

Published Feb 25, 2026
CVE-2024-23340MEDIUM

@hono/node-server cannot handle "double dots" in URL

Published Jan 23, 2024
GHSA-92pp-h63x-v22m

@hono/node-server: Middleware bypass via repeated slashes in serveStatic

Published Apr 8, 2026
MAL-2025-191328

Malicious code in @trpc-rate-limiter/hono (npm)

Published Nov 24, 2025
GHSA-9f72-qcpw-2hxc

OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs

Published Mar 3, 2026
CVE-2026-29087

@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware

Published Mar 4, 2026
CVE-2020-15168LOW

The `size` option isn't honored after following a redirect in node-fetch

Published Sep 10, 2020
MAL-2025-49382

Malicious code in rce-poc-test-honor-dev (npm)

Published Nov 7, 2025
MAL-2025-49383

Malicious code in rce-poc-test-honor-mcp (npm)

Published Nov 7, 2025
MAL-2026-2409

Malicious code in @phonos/types (npm)

Published Mar 24, 2026
Check your entire dependency tree at onceRun dependency scan →