PatchSiren

honojs CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM honojs CVE published 2026-07-08

CVE-2026-59897

The Hono Web application framework has a vulnerability in its AWS API Gateway v1 adapter. From version 4.3.3 to 4.12.27, the adapter can drop distinct repeated request header values due to a substring comparison instead of an exact match. This affects middleware or application logic relying on the complete X-Forwarded-For chain, rate limiting, audit logging, or proxy-chain validation, potentially leading [truncated]

MEDIUM honojs CVE published 2026-07-08

CVE-2026-59896

CVE-2026-59896 is a vulnerability in the Hono Web application framework that allows context values from different requests to be used during server-side rendering. This issue was fixed in version 4.12.27. The vulnerability has a CVSS score of 6.5 and is classified as MEDIUM severity. It affects Hono framework versions between 4.11.8 and 4.12.26. Users of these versions should update to version 4.12.27 to [truncated]

MEDIUM honojs CVE published 2026-07-08

CVE-2026-59895

CVE-2026-59895 is a server-side rendering escape issue in Hono Web application framework versions before 4.12.27. The cx() function in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input. This allows untrusted className values used in a JSX class attribute during server-side rendering to break out of the attribute and inject arbitrary ma [truncated]

MEDIUM honojs CVE published 2026-06-22

CVE-2026-54289

CVE-2026-54289 is a vulnerability in the Hono Web application framework that affects AWS Lambda@Edge and CloudFront. Prior to version 4.12.25, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. This can we [truncated]

MEDIUM honojs CVE published 2026-05-28

CVE-2026-47676

## Summary Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte charac [truncated]

MEDIUM honojs CVE published 2026-05-28

CVE-2026-47675

A vulnerability in the Hono web framework's cookie serialization allows attackers to inject arbitrary Set-Cookie attributes when user-controlled input is passed to the `sameSite` or `priority` cookie options. The `serialize()` function in `hono/cookie` validates `domain` and `path` options against characters that corrupt Set-Cookie header syntax (semicolons, carriage returns, and newlines), but fails to a [truncated]

MEDIUM honojs CVE published 2026-05-28

CVE-2026-47674

## Summary Hono's ip-restriction middleware (prior to 4.12.21) fails to canonicalize IPv6 addresses before comparing them against static allow/deny rules. An attacker can bypass IP-based access controls by presenting the same address in a non-canonical form (compressed notation, explicit zero groups, or IPv4-mapped hex notation) that does not match the normalized rule entry. ## Technical Analysis The vuln [truncated]

MEDIUM honojs CVE published 2026-05-28

CVE-2026-47673

## Summary Hono's JWT and JWK middlewares prior to version 4.12.21 fail to validate that the Authorization header uses the Bearer scheme. The middleware accepts any two-part header value and proceeds directly to JWT verification, regardless of the scheme identifier. A valid JWT presented under alternative schemes (e.g., Basic, Token) is authenticated identically to a properly formed Bearer request. ## Tec [truncated]