Security Overview · honojs/hono · GitHub

Security

No security policy detected

This project has not set up a SECURITY.md file yet.

Report a vulnerability

JWT algorithm confusion in Hono JWK Auth Middleware when JWK lacks "alg" (untrusted header.alg fallback)
GHSA-3vhc-576x-3qv4 published Jan 13, 2026 by yusukebe

High
JWT Algorithm Confusion via Unsafe Default (HS256) in Hono JWT Middleware Allows Token Forgery and Auth Bypass
GHSA-f67f-6cw9-8mq4 published Jan 13, 2026 by yusukebe

High
Vary Header Injection leading to potential CORS Bypass
GHSA-q7jf-gf43-6x6p published Oct 24, 2025 by yusukebe

Moderate
Improper Authorization in hono
GHSA-m732-5p4w-x69g published Oct 21, 2025 by yusukebe

High
Body Limit Middleware Bypass
GHSA-92vj-g62v-jqhh published Sep 12, 2025 by yusukebe

Moderate
Flaw in URL path parsing could cause path confusion
GHSA-9hp6-4448-45g2 published Sep 3, 2025 by yusukebe

High
Bypass CSRF Middleware by a request without Content-Type header
GHSA-2234-fmw7-43wr published Oct 15, 2024 by yusukebe

Moderate
Bypass CSRF middleware
GHSA-rpfr-3m35-5vx5 published Aug 22, 2024 by yusukebe

Moderate
Restricted Directory Traversal in serveStatic with deno
GHSA-3mpf-rcc7-5347 published Apr 23, 2024 by yusukebe

Moderate
Named path parameters can be overridden in TrieRouter
GHSA-f6gv-hh8j-q8vq published Dec 14, 2023 by yusukebe

Moderate

Learn more about advisories related to honojs/hono in the GitHub Advisory Database