Taku Amano

9 exploits Active since Apr 2024
CVE-2026-39407 WRITEUP MEDIUM WRITEUP
Hono <4.12.12 serveStatic - Middleware Bypass
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12.
CVSS 5.3
CVE-2026-39409 WRITEUP MEDIUM WRITEUP
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12.
CVSS 5.3
CVE-2026-39410 WRITEUP MEDIUM WRITEUP
Hono <4.12.12 getCookie() - Cookie Prefix Bypass
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.
CVSS 4.8
CVE-2026-29045 WRITEUP HIGH WRITEUP
Hono < 4.12.4 - Unauthenticated Path Traversal via URL-Encoded Slash Bypass
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.
CVSS 7.5
CVE-2026-29085 WRITEUP MEDIUM WRITEUP
Hono < 4.12.4 - Server-Sent Events Injection via Unvalidated Event Fields
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.
CVSS 6.5
CVE-2026-29086 WRITEUP MEDIUM WRITEUP
Hono < 4.12.4 - Cookie Attribute Injection via Set-Cookie Header
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.
CVSS 5.4
CVE-2024-32652 WRITEUP HIGH WRITEUP
hono/node-server 1.3.0-1.10.1 - Denial of Service via Malformed Host Header
The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue.
CVSS 7.5
CVE-2026-24398 WRITEUP MEDIUM WRITEUP
Hono < 4.11.7 - IP Address Validation Bypass via Malformed IPv4 Octet Handling
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue.
CVSS 4.8
CVE-2026-24771 WRITEUP MEDIUM WRITEUP
Hono < 4.11.7 - Cross-Site Scripting in ErrorBoundary Component
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue.
CVSS 4.7