These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
## Summary Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte charac [truncated]
A vulnerability in the Hono web framework's cookie serialization allows attackers to inject arbitrary Set-Cookie attributes when user-controlled input is passed to the `sameSite` or `priority` cookie options. The `serialize()` function in `hono/cookie` validates `domain` and `path` options against characters that corrupt Set-Cookie header syntax (semicolons, carriage returns, and newlines), but fails to a [truncated]
## Summary Hono's ip-restriction middleware (prior to 4.12.21) fails to canonicalize IPv6 addresses before comparing them against static allow/deny rules. An attacker can bypass IP-based access controls by presenting the same address in a non-canonical form (compressed notation, explicit zero groups, or IPv4-mapped hex notation) that does not match the normalized rule entry. ## Technical Analysis The vuln [truncated]
## Summary Hono's JWT and JWK middlewares prior to version 4.12.21 fail to validate that the Authorization header uses the Bearer scheme. The middleware accepts any two-part header value and proceeds directly to JWT verification, regardless of the scheme identifier. A valid JWT presented under alternative schemes (e.g., Basic, Token) is authenticated identically to a properly formed Bearer request. ## Tec [truncated]