Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

honojs — Vulnerabilities & Security Advisories 25

Browse all 25 CVE security advisories affecting honojs. AI-powered Chinese analysis, POCs, and references for each vulnerability.

HonoJS is a lightweight, ultrafast web framework designed for edge computing environments, primarily serving developers building serverless applications and API services. Despite its minimal footprint, the project has accumulated approximately 25 recorded Common Vulnerabilities and Exposures (CVEs), indicating significant historical security challenges. These incidents predominantly involve remote code execution (RCE) and cross-site scripting (XSS) flaws, often stemming from improper input validation or insecure default configurations in middleware implementations. While the framework emphasizes performance and compatibility with various JavaScript runtimes, its rapid iteration cycle has occasionally outpaced rigorous security auditing. Notable incidents reveal that attackers frequently exploit unpatched dependencies or misconfigured routing mechanisms to gain unauthorized access. The security posture remains reactive, with patches released post-disclosure rather than through proactive, hardened defaults, requiring users to manually verify dependency integrity and configure strict security headers to mitigate these prevalent risks effectively.

Top products by honojs: hono node-server
CVE IDTitleCVSSSeverityPublished
CVE-2026-39410 Hono has a non-breaking space prefix bypass in cookie name handling in getCookie() — honoCWE-20 4.8 Medium2026-04-08
CVE-2026-39409 Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses — honoCWE-180 9.1AICriticalAI2026-04-08
CVE-2026-39408 Hono has a path traversal in toSSG() allows writing files outside the output directory — honoCWE-22 7.5AIHighAI2026-04-08
CVE-2026-39407 Hono has a middleware bypass via repeated slashes in serveStatic — honoCWE-22 5.3 Medium2026-04-08
CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic — node-serverCWE-22 5.3 Medium2026-04-08
CVE-2026-29087 @hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware — node-serverCWE-863 7.5 High2026-03-06
CVE-2026-29085 Hono: SSE Control Field Injection via CR/LF in writeSSE() — honoCWE-74 6.5 Medium2026-03-04
CVE-2026-29045 Hono: Arbitrary file access via serveStatic vulnerability — honoCWE-177 7.5 High2026-03-04
CVE-2026-29086 Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie() — honoCWE-1113 5.4 Medium2026-03-04
CVE-2026-27700 Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo — honoCWE-345 8.2 High2026-02-25
CVE-2026-24771 Hono has a Cross-site Scripting vulnerability — honoCWE-79 4.7 Medium2026-01-27
CVE-2026-24473 Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) — honoCWE-200 7.5AIHighAI2026-01-27
CVE-2026-24472 Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception — honoCWE-524 5.3 Medium2026-01-27
CVE-2026-24398 Hono's IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing — honoCWE-185 4.8 Medium2026-01-27
CVE-2026-22817 JWT Algorithm Confusion via Unsafe Default (HS256) in Hono JWT Middleware Allows Token Forgery and Auth Bypass — honoCWE-347 8.2 High2026-01-13
CVE-2026-22818 JWT algorithm confusion in Hono JWK Auth Middleware when JWK lacks "alg" (untrusted header.alg fallback) — honoCWE-347 8.2 High2026-01-13
CVE-2025-62610 Hono Improperly Authorizes JWT Audience Validation — honoCWE-285 8.1 High2025-10-22
CVE-2025-59139 Hono has Body Limit Middleware Bypass — honoCWE-400 5.3 Medium2025-09-12
CVE-2025-58362 Hono contains a flaw in URL path parsing, potentially leading to path confusion — honoCWE-706 7.5 High2025-09-04
CVE-2024-48913 Hono vulnerable to bypass of CSRF Middleware by a request without Content-Type header. — honoCWE-352 5.9 Medium2024-10-15
CVE-2024-43787 Hono CSRF middleware can be bypassed using crafted Content-Type header — honoCWE-352 5.0 Medium2024-08-22
CVE-2024-32869 Hono vulnerable to Restricted Directory Traversal in serveStatic with deno — honoCWE-22 5.3 Medium2024-04-23
CVE-2024-32652 @hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed — node-serverCWE-755 7.5 High2024-04-19
CVE-2024-23340 @hono/node-server can't handle "double dots" in URL — node-serverCWE-22 5.3 Medium2024-01-22
CVE-2023-50710 Hono's named path parameters can be overridden in TrieRouter — honoCWE-94 4.2 Medium2023-12-14

This page lists every published CVE security advisory associated with honojs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.