HIGH🇵🇱 Wersja polska

CVE-2025-62610

CVSS 8.1v3.1pub. 2025-10-22upd. 2026-02-04

Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. This issue has been patched in version 4.10.2.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
  • Hono

    APP
    Hono
    1.1.0 – 4.10.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-29045HIGH7.5ten sam produkt

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4,...

CVE-2026-27700HIGH8.2ten sam produkt

Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4...

CVE-2026-22817HIGH8.2ten sam produkt

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there i...

CVE-2026-22818HIGH8.2ten sam produkt

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there i...

CVE-2025-58362HIGH7.5ten sam produkt

Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4...

CVE-2025-62610 — Hono — HIGH — CVSS 8.1 | CVEbaza.pl