Skip to content

hono dev dependency has 5 known security advisories (1 high, 4 medium) #2007

Description

@aaf091

Summary

Running a dependency vulnerability scan against this repo found the hono package (pinned at 4.12.23 in nodejs/package.json) has 5 published GitHub Security Advisories, all fixed in 4.12.25.

Findings

Advisory Severity CVSS Summary
GHSA-88fw-hqm2-52qc High 7.1 CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard (CVE-2026-54290)
GHSA-j6c9-x7qj-28xf Medium AWS Lambda adapter merges multiple Set-Cookie headers into one, dropping cookies on ALB single-header and Lattice
GHSA-rv63-4mwf-qqc2 Medium Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length
GHSA-wgpf-jwqj-8h8p Medium Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
GHSA-wwfh-h76j-fc44 Medium Path traversal in serve-static on Windows via encoded backslash (%5C)

The most notable is GHSA-88fw-hqm2-52qc: with credentials: true and no explicit origin, affected versions of Hono's CORS middleware reflect the request's Origin header instead of failing closed, letting any third-party site make credentialed cross-origin requests against cookie-authenticated endpoints.

Is this exploitable here?

hono is a dev dependency in nodejs/package.json, not a runtime one, so practical exposure depends on how it's used in local tooling/dev servers rather than anything shipped to SDK consumers. Flagging for visibility regardless since it's a straightforward version bump.

Reproduction

  1. cd nodejs && npm ls hono → resolves to 4.12.23
  2. Cross-referencing against the GitHub Advisory Database / OSV.dev confirms all 5 advisories above are open against <4.12.25 and closed as of 4.12.25

Proposed fix

Bump hono to ^4.12.25 (or later) in nodejs/package.json. Happy to open a PR for this if it's useful and doesn't overlap with an existing automated dependency-update process (e.g. Dependabot).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions