jonathan/hostr
jonathan/hostr
1
1
Fork 0
Code Issues Pull requests Packages 1 Activity Actions

Update dependency hono to v4.12.18 [SECURITY] #47

Merged
jonathan merged 1 commit from renovate/npm-hono-vulnerability into main 2026-05-09 18:11:41 +00:00
Conversation 0 Commits 1 Files changed 1 +3 -3
renovatebot commented 2026-05-09 07:08:55 +00:00
Collaborator
Copy link

This PR contains the following updates:

Package Type Update Change
hono (source) dependencies patch 4.12.164.12.18

Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

CVE-2026-44459 / GHSA-hm8q-7f3q-5f36

More information

Details

Summary

Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.

Details

The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:

  • A falsy numeric value short-circuited the presence check.
  • A non-finite numeric value compared as never-after-now and never-expired.
  • A non-numeric type produced NaN comparisons that evaluated false.

This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.

Impact

An actor able to issue tokens accepted by the application may craft tokens whose exp, nbf, or iat claims silently bypass time-based enforcement. This may lead to:

  • Tokens treated as never expiring even with exp configured on the verifier.
  • Tokens with a future nbf accepted as currently valid.
  • Tokens with a future iat accepted as legitimately issued.

Deployments using a well-formed token issuer and protecting the signing key are not affected.

Severity

  • CVSS Score: 3.8 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

CVE-2026-44457 / GHSA-p77w-8qqv-26rm

More information

Details

Summary

Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users.

Details

The Cache Middleware skips caching when a response carries Vary: *, certain Cache-Control directives (private, no-store, no-cache), or Set-Cookie. However, Vary: Authorization and Vary: Cookie — the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses — are not treated as cache-skip reasons.

This issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on Vary: Authorization or Vary: Cookie to scope the response per user, without also setting Cache-Control: private.

Impact

A user may receive a cached response that was originally generated for a different authenticated user. This may lead to:

  • Disclosure of personally identifiable information or other user-specific data present in the response body
  • Inconsistent or incorrect behavior in user-specific endpoints

This issue affects applications that use the Cache Middleware on endpoints whose responses vary by Authorization or Cookie and that do not also set Cache-Control: private.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Hono has CSS Declaration Injection via Style Object Values in JSX SSR

CVE-2026-44458 / GHSA-qp7p-654g-cw7p

More information

Details

Summary

The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout.

Details

style object values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries — such as ;, comment markers, quoted strings, and block delimiters — are valid in HTML attribute content and can extend a value beyond its assigned property.

This issue arises when untrusted input is interpolated into a JSX style object and rendered server-side.

Impact

An attacker who can control the value or property name of a style object may inject arbitrary CSS declarations. This may lead to:

  • Visual manipulation of the page, including full-viewport overlays usable for phishing
  • Outbound requests to attacker-controlled hosts via CSS resource references such as url(...)
  • Hijacking of UI affordances through layout, positioning, or visibility changes

This issue affects applications that render JSX on the server with style object values or property names derived from untrusted input.

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

honojs/hono (hono)

v4.12.18

Compare Source

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/honojs/hono/compare/v4.12.16...v4.12.17

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [hono](https://hono.dev) ([source](https://github.com/honojs/hono)) | dependencies | patch | [`4.12.16` → `4.12.18`](https://renovatebot.com/diffs/npm/hono/4.12.16/4.12.18) | --- ### Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() [CVE-2026-44459](https://nvd.nist.gov/vuln/detail/CVE-2026-44459) / [GHSA-hm8q-7f3q-5f36](https://github.com/advisories/GHSA-hm8q-7f3q-5f36) <details> <summary>More information</summary> #### Details ##### Summary Improper validation of the JWT NumericDate claims `exp`, `nbf`, and `iat` in `hono/utils/jwt` allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches `verify()` — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. ##### Details The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected: - A falsy numeric value short-circuited the presence check. - A non-finite numeric value compared as never-after-now and never-expired. - A non-numeric type produced NaN comparisons that evaluated false. This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value. ##### Impact An actor able to issue tokens accepted by the application may craft tokens whose `exp`, `nbf`, or `iat` claims silently bypass time-based enforcement. This may lead to: - Tokens treated as never expiring even with `exp` configured on the verifier. - Tokens with a future `nbf` accepted as currently valid. - Tokens with a future `iat` accepted as legitimately issued. Deployments using a well-formed token issuer and protecting the signing key are not affected. #### Severity - CVSS Score: 3.8 / 10 (Low) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36](https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36) - [https://github.com/honojs/hono](https://github.com/honojs/hono) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-hm8q-7f3q-5f36) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage [CVE-2026-44457](https://nvd.nist.gov/vuln/detail/CVE-2026-44457) / [GHSA-p77w-8qqv-26rm](https://github.com/advisories/GHSA-p77w-8qqv-26rm) <details> <summary>More information</summary> #### Details ##### Summary Cache Middleware does not skip caching for responses that declare per-user variance via `Vary: Authorization` or `Vary: Cookie`. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. ##### Details The Cache Middleware skips caching when a response carries `Vary: *`, certain `Cache-Control` directives (`private`, `no-store`, `no-cache`), or `Set-Cookie`. However, `Vary: Authorization` and `Vary: Cookie` — the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses — are not treated as cache-skip reasons. This issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on `Vary: Authorization` or `Vary: Cookie` to scope the response per user, without also setting `Cache-Control: private`. ##### Impact A user may receive a cached response that was originally generated for a different authenticated user. This may lead to: - Disclosure of personally identifiable information or other user-specific data present in the response body - Inconsistent or incorrect behavior in user-specific endpoints This issue affects applications that use the Cache Middleware on endpoints whose responses vary by `Authorization` or `Cookie` and that do not also set `Cache-Control: private`. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rm](https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rm) - [https://github.com/honojs/hono](https://github.com/honojs/hono) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-p77w-8qqv-26rm) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hono has CSS Declaration Injection via Style Object Values in JSX SSR [CVE-2026-44458](https://nvd.nist.gov/vuln/detail/CVE-2026-44458) / [GHSA-qp7p-654g-cw7p](https://github.com/advisories/GHSA-qp7p-654g-cw7p) <details> <summary>More information</summary> #### Details ##### Summary The JSX renderer escapes `style` attribute object values for HTML but not for CSS. Untrusted input in a `style` object value or property name can therefore inject additional CSS declarations into the rendered `style` attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. ##### Details `style` object values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries — such as `;`, comment markers, quoted strings, and block delimiters — are valid in HTML attribute content and can extend a value beyond its assigned property. This issue arises when untrusted input is interpolated into a JSX `style` object and rendered server-side. ##### Impact An attacker who can control the value or property name of a `style` object may inject arbitrary CSS declarations. This may lead to: - Visual manipulation of the page, including full-viewport overlays usable for phishing - Outbound requests to attacker-controlled hosts via CSS resource references such as `url(...)` - Hijacking of UI affordances through layout, positioning, or visibility changes This issue affects applications that render JSX on the server with `style` object values or property names derived from untrusted input. #### Severity - CVSS Score: 4.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N` #### References - [https://github.com/honojs/hono/security/advisories/GHSA-qp7p-654g-cw7p](https://github.com/honojs/hono/security/advisories/GHSA-qp7p-654g-cw7p) - [https://github.com/honojs/hono](https://github.com/honojs/hono) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-qp7p-654g-cw7p) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>honojs/hono (hono)</summary> ### [`v4.12.18`](https://github.com/honojs/hono/releases/tag/v4.12.18) [Compare Source](https://github.com/honojs/hono/compare/v4.12.17...v4.12.18) #### Security fixes This release includes fixes for the following security issues: ##### Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage Affects: Cache Middleware. Fixes missing cache-skip handling for `Vary: Authorization` and `Vary: Cookie`, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm ##### CSS Declaration Injection via Style Object Values in JSX SSR Affects: hono/jsx. Fixes a missing CSS-context escape for `style` object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p ##### Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() Affects: `hono/utils/jwt`. Fixes improper validation of `exp`, `nbf`, and `iat` claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36 *** Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version. ### [`v4.12.17`](https://github.com/honojs/hono/releases/tag/v4.12.17) [Compare Source](https://github.com/honojs/hono/compare/v4.12.16...v4.12.17) #### What's Changed - fix(jsx): normalize SVG attributes on the <svg> root element by [@&#8203;kfly8](https://github.com/kfly8) in [#&#8203;4893](https://github.com/honojs/hono/pull/4893) - fix(ssg): add `atom+xml` and `rss+xml` to `defaultExtensionMap` by [@&#8203;yuintei](https://github.com/yuintei) in [#&#8203;4899](https://github.com/honojs/hono/pull/4899) - fix(cors): make origin optional in CORSOptions by [@&#8203;truffle-dev](https://github.com/truffle-dev) in [#&#8203;4905](https://github.com/honojs/hono/pull/4905) - fix(types): propagate middleware response types to app.on overloads by [@&#8203;T4ko0522](https://github.com/T4ko0522) in [#&#8203;4906](https://github.com/honojs/hono/pull/4906) #### New Contributors - [@&#8203;kfly8](https://github.com/kfly8) made their first contribution in [#&#8203;4893](https://github.com/honojs/hono/pull/4893) - [@&#8203;truffle-dev](https://github.com/truffle-dev) made their first contribution in [#&#8203;4905](https://github.com/honojs/hono/pull/4905) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.12.16...v4.12.17> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjAuNCIsInVwZGF0ZWRJblZlciI6IjQzLjE2MC40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Update dependency hono to v4.12.18 [SECURITY]
Some checks failed
ci / build-image (pull_request) Successful in 1m9s
Details
ci / test-image (pull_request) Failing after 1s
Details
ci / build-image (push) Successful in 1m7s
Details
ci / test-image (push) Failing after 1s
Details
7ae099a6c1
jonathan deleted branch renovate/npm-hono-vulnerability 2026-05-09 18:11:42 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
jonathan/hostr!47
No description provided.