pkg:npm/hono

26 total CVEsHIGH6MEDIUM18LOW1

✅ Check your installed version

All known vulnerabilities

  • HIGH8.2CVE-2026-27700Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
    >= 4.12.0, < 4.12.2
  • HIGH8.2CVE-2026-22818Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
    from 0, < 4.11.4
  • HIGH8.2CVE-2026-22817Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass
    from 0, < 4.11.4
  • HIGH8.1CVE-2025-62610Hono Improper Authorization vulnerability
    >= 1.1.0, < 4.10.2
  • HIGH7.5CVE-2026-29045Hono vulnerable to arbitrary file access via serveStatic vulnerability
    from 0, < 4.12.4
  • HIGH7.5CVE-2025-58362Hono's flaw in URL path parsing could cause path confusion
    >= 4.8.0, < 4.9.6
  • MEDIUM6.5CVE-2026-44456Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
    from 0, < 4.12.16
  • MEDIUM6.5CVE-2026-29085Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()
    from 0, < 4.12.4
  • MEDIUM5.9CVE-2024-48913Hono allows bypass of CSRF Middleware by a request without Content-Type header.
    from 0, < 4.6.5
  • MEDIUM5.4CVE-2026-29086Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()
    from 0, < 4.12.4
  • MEDIUM5.3CVE-2026-44457Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
    from 0, < 4.12.18
  • MEDIUM5.3CVE-2026-39409Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
    from 0, < 4.12.12
  • MEDIUM5.3CVE-2026-39407Hono: Middleware bypass via repeated slashes in serveStatic
    from 0, < 4.12.12
  • MEDIUM5.3CVE-2026-24473Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
    from 0, < 4.11.7
  • MEDIUM5.3CVE-2026-24472Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
    from 0, < 4.11.7
  • MEDIUM5.3CVE-2025-59139Hono has Body Limit Middleware Bypass
    from 0, < 4.9.7
  • MEDIUM5.3CVE-2024-32869Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
    from 0, < 4.2.7
  • MEDIUM5.0CVE-2024-43787Hono CSRF middleware can be bypassed using crafted Content-Type header
    from 0, < 4.5.8
  • MEDIUM4.8CVE-2026-39410Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()
    from 0, < 4.12.12
  • MEDIUM4.8CVE-2026-24398Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
    from 0, < 4.11.7
  • MEDIUM4.7CVE-2026-44455hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
    from 0, < 4.12.16
  • MEDIUM4.7CVE-2026-24771Hono vulnerable to XSS through ErrorBoundary component
    from 0, < 4.11.7
  • MEDIUM4.3CVE-2026-44458Hono has CSS Declaration Injection via Style Object Values in JSX SSR
    from 0, < 4.12.18
  • MEDIUM4.2CVE-2023-50710Named path parameters can be overridden in TrieRouter
    from 0, < 3.11.7
  • LOW3.8CVE-2026-44459Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
    from 0, < 4.12.18
  • CVE-2026-39408Hono: Path traversal in toSSG() allows writing files outside the output directory
    >= 4.0.0, < 4.12.12
npm/hono — 26 CVEs · VulnScope