Skip to content

chore(deps): update dependency hono@<4.12.14 to >=4.12.26 [security]#604

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-hono-4.12.14-vulnerability
Open

chore(deps): update dependency hono@<4.12.14 to >=4.12.26 [security]#604
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-hono-4.12.14-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
hono@<4.12.14 (source) >=4.12.18>=4.12.26 age confidence

Hono: JWT middleware accepts any Authorization scheme, not only Bearer

CVE-2026-47673 / GHSA-f577-qrjj-4474

More information

Details

Summary

The jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request.

Details

When processing an Authorization (or custom) header, the middleware splits the value on whitespace and uses the second token as the JWT to verify. It does not check that the first token is bearer (case-insensitively). RFC 6750 specifies that JWT bearer tokens must be presented using the Bearer scheme; other scheme identifiers carry distinct semantics and may be subject to different policies in network-layer security controls.

This discrepancy means that scheme-aware external controls — such as WAF rules, API gateways, or reverse proxies that apply policies specific to the Bearer scheme identifier — can be bypassed by presenting a valid JWT under a different scheme name.

This issue affects hono/jwt and hono/jwk middleware.

Impact

An attacker who possesses a valid JWT may present it under a non-Bearer scheme identifier and still pass middleware authentication.

This may lead to:

  • Bypass of network-layer security controls that inspect or filter requests based on the authorization scheme identifier
  • Token reuse across authentication schemes in applications that use multiple authorization mechanisms

This issue affects applications where hono/jwt or hono/jwk authentication is combined with external controls that enforce scheme-based access policies.

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

CVE-2026-47674 / GHSA-xrhx-7g5j-rcj5

More information

Details

Summary

The ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped.

Details

When the rule matcher is built, each configured IP rule is normalized to a canonical string form. Incoming IP addresses received at request time are then compared against those canonical strings without applying the same normalization. Because IPv6 permits multiple syntactically different representations of the same numeric address, a non-canonical form of a denied address fails the string lookup and proceeds to the CIDR check, which also finds no match for rules registered as static (no prefix length). The request is then allowed.

Affected non-canonical forms include:

  • Compressed versus expanded notation (2001:db8::1 vs 2001:db8:0:0:0:0:0:1)
  • Hex-notation IPv4-mapped addresses (::ffff:7f00:1 vs ::ffff:127.0.0.1)
  • Zone identifier suffixes (e.g., fe80::1%eth0)

Additionally, invalid IP address strings provided as the remote address are not rejected and may result in unexpected allow or deny behavior.

This issue arises when applications use ipRestriction() with static (non-CIDR) rules and the IP address source can supply addresses in non-canonical IPv6 form.

Impact

A request from an IP address covered by a static deny rule may bypass the restriction if the address is presented in a non-canonical IPv6 form.

This may lead to:

  • Unauthorized access to endpoints intended to be restricted to specific IP addresses
  • Bypass of IP-based access controls in environments where the runtime or an upstream proxy provides source addresses in a form that differs from the canonical form used in the rule configuration

This issue affects applications using hono/ip-restriction with static deny rules for IPv4 or IPv6 addresses, particularly when the source address is derived from proxy headers or custom getIP implementations that may return non-canonical forms.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

CVE-2026-47676 / GHSA-2gcr-mfcq-wcc3

More information

Details

Summary

app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path.

Details

When app.mount(prefix, subApp) is called, Hono calculates the number of characters to strip based on the decoded mount prefix length, but then applies that slice to the raw URL pathname. When the URL contains percent-encoded characters that expand to fewer characters when decoded (such as encoded non-ASCII characters), the two representations have different lengths, so the prefix is stripped at the wrong byte offset.

As a result, the sub-application receives a path that does not correspond to the intended sub-path — it may receive a partial or garbled path instead of the expected value after the mount prefix is removed.

This issue arises when an application uses app.mount() with paths that contain percent-encoded characters, particularly when the mount prefix itself or the request path contains encoded non-ASCII characters.

Impact

A mounted sub-application may receive an incorrectly stripped path, causing requests to be routed to unintended handlers within the sub-application.

This may lead to:

  • Middleware or route handlers in the sub-application being bypassed or incorrectly matched due to the malformed path
  • Requests reaching sub-application routes that the developer did not intend to be accessible via the mounted path

This issue affects applications that use app.mount() where the request URL may contain percent-encoded characters in the mount prefix or subsequent path segments.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

CVE-2026-47675 / GHSA-3hrh-pfw6-9m5x

More information

Details

Summary

The serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a Set-Cookie response header containing attacker-chosen additional attributes.

Details

When constructing a Set-Cookie header value, serialize() appends the sameSite and priority option values directly into the output string after a presentation-only transformation (capitalizing the first character). Although the TypeScript type signature constrains these options to specific string literals, that constraint is not enforced at runtime; any string value, including one containing ; or line-feed characters, passes through unchanged.

The validation guard that rejects ;, \r, and \n from domain and path is not applied to sameSite or priority. An application that passes a request-derived value to either option therefore provides an injection point into the header line.

This issue arises when an application passes user-controlled input to the sameSite or priority option of setCookie() or serialize().

Impact

An attacker who can control the sameSite or priority option value may inject additional attributes into a Set-Cookie response header.

This may lead to:

  • Cookie attribute injection — overriding Domain, Path, HttpOnly, Secure, or Max-Age for the affected cookie
  • HTTP response header injection on runtimes that do not strictly validate header values, enabling a second attacker-controlled Set-Cookie header in the same response

This issue affects applications that pass user-derived input into the sameSite or priority option of hono/cookie serialization functions.

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

honojs/hono (hono@<4.12.14)

v4.12.26

Compare Source

What's Changed

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Compare Source

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@​Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

Compare Source

What's Changed

Full Changelog: honojs/hono@v4.12.23...v4.12.24

v4.12.23

Compare Source

What's Changed

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

Compare Source

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.21...v4.12.22

v4.12.21

Compare Source

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

v4.12.20

Compare Source

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.19...v4.12.20

v4.12.19

Compare Source

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.18...v4.12.19

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 4, 2026
@renovate renovate Bot changed the title chore(deps): update dependency hono@<4.12.14 to >=4.12.21 [security] chore(deps): update dependency hono@<4.12.14 to >=4.12.25 [security] Jun 11, 2026
@renovate renovate Bot force-pushed the renovate/npm-hono-4.12.14-vulnerability branch from c311993 to 22a6da9 Compare June 11, 2026 17:01
@renovate renovate Bot changed the title chore(deps): update dependency hono@<4.12.14 to >=4.12.25 [security] chore(deps): update dependency hono@<4.12.14 to >=4.12.21 [security] Jun 12, 2026
@renovate renovate Bot force-pushed the renovate/npm-hono-4.12.14-vulnerability branch from 22a6da9 to 7ceb6ce Compare June 12, 2026 01:54
@renovate renovate Bot changed the title chore(deps): update dependency hono@<4.12.14 to >=4.12.21 [security] chore(deps): update dependency hono@<4.12.14 to >=4.12.25 [security] Jun 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-hono-4.12.14-vulnerability branch from 7ceb6ce to f7df7c7 Compare June 16, 2026 09:11
@renovate renovate Bot changed the title chore(deps): update dependency hono@<4.12.14 to >=4.12.25 [security] chore(deps): update dependency hono@<4.12.14 to >=4.12.21 [security] Jun 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-hono-4.12.14-vulnerability branch from f7df7c7 to 34fede4 Compare June 16, 2026 09:14
@renovate renovate Bot changed the title chore(deps): update dependency hono@<4.12.14 to >=4.12.21 [security] chore(deps): update dependency hono@<4.12.14 to >=4.12.26 [security] Jun 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-hono-4.12.14-vulnerability branch from 34fede4 to 0cb9ca8 Compare June 18, 2026 08:45
@renovate renovate Bot changed the title chore(deps): update dependency hono@<4.12.14 to >=4.12.26 [security] chore(deps): update dependency hono@<4.12.14 to >=4.12.21 [security] Jun 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-hono-4.12.14-vulnerability branch from 0cb9ca8 to a00d511 Compare June 18, 2026 08:52
@renovate renovate Bot changed the title chore(deps): update dependency hono@<4.12.14 to >=4.12.21 [security] chore(deps): update dependency hono@<4.12.14 to >=4.12.26 [security] Jun 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-hono-4.12.14-vulnerability branch from a00d511 to 6d46315 Compare June 18, 2026 21:12
@sonarqubecloud

sonarqubecloud Bot commented Jun 18, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants