Summary
Running a dependency vulnerability scan against this repo found the hono package (pinned at 4.12.23 in nodejs/package.json) has 5 published GitHub Security Advisories, all fixed in 4.12.25.
Findings
| Advisory |
Severity |
CVSS |
Summary |
| GHSA-88fw-hqm2-52qc |
High |
7.1 |
CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard (CVE-2026-54290) |
| GHSA-j6c9-x7qj-28xf |
Medium |
— |
AWS Lambda adapter merges multiple Set-Cookie headers into one, dropping cookies on ALB single-header and Lattice |
| GHSA-rv63-4mwf-qqc2 |
Medium |
— |
Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length |
| GHSA-wgpf-jwqj-8h8p |
Medium |
— |
Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest |
| GHSA-wwfh-h76j-fc44 |
Medium |
— |
Path traversal in serve-static on Windows via encoded backslash (%5C) |
The most notable is GHSA-88fw-hqm2-52qc: with credentials: true and no explicit origin, affected versions of Hono's CORS middleware reflect the request's Origin header instead of failing closed, letting any third-party site make credentialed cross-origin requests against cookie-authenticated endpoints.
Is this exploitable here?
hono is a dev dependency in nodejs/package.json, not a runtime one, so practical exposure depends on how it's used in local tooling/dev servers rather than anything shipped to SDK consumers. Flagging for visibility regardless since it's a straightforward version bump.
Reproduction
cd nodejs && npm ls hono → resolves to 4.12.23
- Cross-referencing against the GitHub Advisory Database / OSV.dev confirms all 5 advisories above are open against
<4.12.25 and closed as of 4.12.25
Proposed fix
Bump hono to ^4.12.25 (or later) in nodejs/package.json. Happy to open a PR for this if it's useful and doesn't overlap with an existing automated dependency-update process (e.g. Dependabot).
Summary
Running a dependency vulnerability scan against this repo found the
honopackage (pinned at 4.12.23 innodejs/package.json) has 5 published GitHub Security Advisories, all fixed in 4.12.25.Findings
origindefaults to the wildcard (CVE-2026-54290)Set-Cookieheaders into one, dropping cookies on ALB single-header and LatticeContent-Lengthserve-staticon Windows via encoded backslash (%5C)The most notable is GHSA-88fw-hqm2-52qc: with
credentials: trueand no explicitorigin, affected versions of Hono's CORS middleware reflect the request'sOriginheader instead of failing closed, letting any third-party site make credentialed cross-origin requests against cookie-authenticated endpoints.Is this exploitable here?
honois a dev dependency innodejs/package.json, not a runtime one, so practical exposure depends on how it's used in local tooling/dev servers rather than anything shipped to SDK consumers. Flagging for visibility regardless since it's a straightforward version bump.Reproduction
cd nodejs && npm ls hono→ resolves to4.12.23<4.12.25and closed as of4.12.25Proposed fix
Bump
honoto^4.12.25(or later) innodejs/package.json. Happy to open a PR for this if it's useful and doesn't overlap with an existing automated dependency-update process (e.g. Dependabot).