Security: honojs/hono
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
Report a vulnerability-
Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)GHSA-wwfh-h76j-fc44 published
Jun 9, 2026 by yusukebeModerate -
CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcardGHSA-88fw-hqm2-52qc published
Jun 9, 2026 by yusukebeHigh -
Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`GHSA-rv63-4mwf-qqc2 published
Jun 9, 2026 by yusukebeModerate -
Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the restGHSA-wgpf-jwqj-8h8p published
Jun 9, 2026 by yusukebeModerate -
AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and LatticeGHSA-j6c9-x7qj-28xf published
Jun 9, 2026 by yusukebeModerate -
app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded pathsGHSA-2gcr-mfcq-wcc3 published
May 19, 2026 by yusukebeModerate -
IP Restriction bypasses static deny rules for non-canonical IPv6GHSA-xrhx-7g5j-rcj5 published
May 19, 2026 by yusukebeModerate -
Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injectionGHSA-3hrh-pfw6-9m5x published
May 19, 2026 by yusukebeModerate -
JWT middleware accepts any Authorization scheme, not only BearerGHSA-f577-qrjj-4474 published
May 19, 2026 by yusukebeModerate -
Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()GHSA-hm8q-7f3q-5f36 published
May 6, 2026 by yusukebeLow
Learn more about advisories related to honojs/hono in the GitHub Advisory Database