Update dependency hono to v4.10.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
hono (source)	4.8.5 -> 4.10.3

GitHub Vulnerability Alerts

CVE-2025-58362

Summary

A flaw in the getPath utility function could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks).

Details

The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this could lead to incorrect path extraction.

Most standards-compliant runtimes and reverse proxies reject such malformed requests with a 400 Bad Request, so the impact depends on the application and environment.

Impact

If proxy ACLs are used to protect sensitive endpoints such as /admin, this flaw could have allowed unauthorized access. The confidentiality impact depends on what data is exposed: if sensitive administrative data is exposed, the impact may be High (CVSS 7.5); otherwise it may be Medium (CVSS 5.3).

Resolution

The implementation has been updated to correctly locate the first slash after "://", preventing such path confusion.

CVE-2025-59139

Summary

A flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present.

Details

The middleware previously prioritized the Content-Length header even when a Transfer-Encoding: chunked header was also included. According to the HTTP specification, Content-Length must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit.

Most standards-compliant runtimes and reverse proxies may reject such malformed requests with 400 Bad Request, so the practical impact depends on the runtime and deployment environment.

Impact

If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests.

Resolution

The implementation has been updated to align with the HTTP specification, ensuring that Transfer-Encoding takes precedence over Content-Length. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately.

CVE-2025-62610

Improper Authorization in Hono (JWT Audience Validation)

Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up).

The issue is addressed by adding a new verification.aud configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification.

Recommended secure configuration

You can enable RFC 7519–compliant audience validation using the new verification.aud option:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
  '/api/*',
  jwt({
    secret: 'my-secret',
    verification: {
      // Require this API to only accept tokens with aud = 'service-a'
      aud: 'service-a',
    },
  })
)

Below is the original description by the reporter. For security reasons, it does not include PoC reproduction steps, as the vulnerability can be clearly understood from the technical description.

---

The original description by the reporter

Summary

Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim.

Note: This problem likely exists in the JWK/JWKS-based middleware as well (e.g., jwk / verifyWithJwks)

Details

• The middleware’s verifyOptions enumerate only iss, nbf, iat, and exp; there is no aud option. The same omission appears in the JWT Helper’s “Payload Validation” list. Developers relying on the middleware for complete standards-aligned validation therefore won’t check audience by default.
• Standards requirement: RFC 7519 §4.1.3 states that each principal intended to process the JWT MUST identify itself with a value in the aud claim; if it does not, the JWT MUST be rejected (when aud is present). Lack of a first-class aud check increases the risk that tokens issued for Service B are accepted by Service A.
• Real-world effect: In deployments with a single IdP/JWKS and shared keys across multiple services, a token minted for one audience can be mistakenly accepted by another audience unless developers implement a custom audience check.
  • For example, with Google Identity (OIDC), iss is always https://accounts.google.com (shared across apps), but aud differs per application because it is that app’s OAuth client ID; therefore, an attacker can host a separate service that supports “Sign in with Google,” obtain a valid ID token (JWT) for the victim user, and—if your API does not verify aud—use that token to access your API with the victim’s privileges.

Impact

Type: Authentication/authorization weakness via token mix-up (confused-deputy).

Who is impacted: Any Hono user who:

• shares an issuer/keys across multiple services (common with a single IdP/JWKS)
• distinguishes tokens by intended recipient using aud.

What can happen:

• Cross-service access: A token for Service B may be accepted by Service A.
• Boundary erosion: ID tokens and access tokens, or separate API audiences, can be inadvertently intermixed.
  • This may causes unauthorized invocation of sensitive endpoints.

Recommended remediation:

1. Add verifyOptions.aud (string | string[] | RegExp) to the middleware and enforce RFC 7519 semantics: In verify method, if aud is present and does not match with specified audiences, reject.
2. Ensure equivalent aud handling exists in the JWK/JWKS flow (jwk middleware / verifyWithJwks) so users of external IdPs can enforce audience consistently.

GHSA-q7jf-gf43-6x6p

Summary

A flaw in the CORS middleware allowed request Vary headers to be reflected into the response, enabling attacker-controlled Vary values and potentially affecting cache behavior.

Details

The middleware previously copied the Vary header from the request when origin was not set to "*". Since Vary is a response header that should only be managed by the server, this could allow an attacker to influence caching behavior or cause inconsistent CORS handling.

Most environments will see impact only when shared caches or proxies rely on the Vary header. The practical effect varies by configuration.

Impact

May cause cache key pollution and inconsistent CORS enforcement in certain setups. No direct confidentiality, integrity, or availability impact in default configurations.

Resolution

Update to the latest patched release. The CORS middleware has been corrected to handle Vary exclusively as a response header.

---

Release Notes

honojs/hono (hono)

v4.10.3

Compare Source

Securiy Fix

A security issue in the CORS middleware has been fixed. In some cases, a request header could affect the Vary response header. Please update to the latest version if you are using the CORS middleware.

What's Changed

• fix(aws-lambda): serve microsoft office files as binary in lambda handler by @​matthiasfeist in #​4469
• fix(request-id): validation accepts = by @​ryuapp in #​4478
• refactor(jwt): reduce the size of the code generated by minification by @​usualoma in #​4480

New Contributors

• @​matthiasfeist made their first contribution in #​4469

Full Changelog: honojs/hono@v4.10.2...v4.10.3

v4.10.2

Compare Source

v4.10.1

Compare Source

What's Changed

• fix(types): cannot .use non-return mw from createMiddleware by @​NamesMT in #​4465

Full Changelog: honojs/hono@v4.10.0...v4.10.1

v4.10.0

Compare Source

Release Notes

Hono v4.10.0 is now available!

This release brings improved TypeScript support and new utilities.

The main highlight is the enhanced middleware type definitions that solve a long-standing issue with type safety for RPC clients.

Middleware Type Improvements

Imagine the following app:

import { Hono } from 'hono'

const app = new Hono()

const routes = app.get(
  '/',
  (c) => {
    return c.json({ errorMessage: 'Error!' }, 500)
  },
  (c) => {
    return c.json({ message: 'Success!' }, 200)
  }
)

The client with RPC:

import { hc } from 'hono/client'

const client = hc<typeof routes>('/')

const res = await client.index.$get()

if (res.status === 500) {
}

if (res.status === 200) {
}

Previously, it couldn't infer the responses from middleware, so a type error was thrown.

Now the responses are correctly typed.

---

This was a long-standing issue and we were thinking it was super difficult to resolve it. But now come true.

Thank you for the great work @​slawekkolodziej!

cloneRawRequest Utility

The new cloneRawRequest utility allows you to clone the raw Request object after it has been consumed by validators or middleware.

import { cloneRawRequest } from 'hono/request'

app.post('/api', async (c) => {
  const body = await c.req.json()

  // Clone the consumed request
  const clonedRequest = cloneRawRequest(c.req)
  await externalLibrary.process(clonedRequest)
})

Thanks @​kamaal111!

New features

• feat(types): passing middleware types #​4393
• feat(ssg): add default plugin that defines the recommended behavior #​4394
• feat(request): add cloneRawRequest utility for request cloning #​4382

All changes

• feat(types): passing middleware types by @​slawekkolodziej in #​4393
• feat(ssg): add default plugin that defines the recommended behavior by @​3w36zj6 in #​4394
• feat(request): add cloneRawRequest utility for request cloning by @​kamaal111 in #​4382
• fix(proxy): Correct hop-by-hop header handling per RFC 9110 by @​sugar-cat7 in #​4459

New Contributors

• @​slawekkolodziej made their first contribution in #​4393
• @​kamaal111 made their first contribution in #​4382

Full Changelog: honojs/hono@v4.9.12...v4.10.0

v4.9.12

Compare Source

What's Changed

• refactor: internal structure of PreparedRegExpRouter for optimization and added tests by @​usualoma in #​4456
• refactor: use protected methods instead of computed properties to allow tree shaking by @​usualoma in #​4458

Full Changelog: honojs/hono@v4.9.11...v4.9.12

v4.9.11

Compare Source

What's Changed

• fix(types): fix 4.9.8 regression by @​aadito123 in #​4448
• feat(reg-exp-router): Introduced PreparedRegExpRouter by @​usualoma in #​1796

New Contributors

• @​aadito123 made their first contribution in #​4448

Full Changelog: honojs/hono@v4.9.10...v4.9.11

v4.9.10

Compare Source

What's Changed

• fix(context): Fix #​4427 type regression by removing non-public export by @​aantthony in #​4433
• fix(aws-lambda): sanitize non-ASCII header values to prevent ByteString errors by @​yusukebe in #​4437

Full Changelog: honojs/hono@v4.9.9...v4.9.10

v4.9.9

Compare Source

What's Changed

• fix(service-worker): Update service-worker fire() to accept generic variants of Hono app instance by @​harmony7 in #​4420
• fix(service-worker): correct generics for handle by @​yusukebe in #​4421
• feat(helper/route): enable to get route path at specific index by @​usualoma in #​4423

New Contributors

• @​harmony7 made their first contribution in #​4420

Full Changelog: honojs/hono@v4.9.8...v4.9.9

v4.9.8

Compare Source

What's Changed

• fix(types): JSONParsed infer unknown values by @​BarryThePenguin in #​4405
• refactor(types): remove SimplifyDeepArray from json types by @​BarryThePenguin in #​4406
• refactor(types): fix the type definitions in hono-base by @​yusukebe in #​4407
• fix(request): return empty string for empty catch-all param by @​amitksingh0880 in #​4395

New Contributors

• @​amitksingh0880 made their first contribution in #​4395

Full Changelog: honojs/hono@v4.9.7...v4.9.8

v4.9.7

Compare Source

Security

• Fixed an issue in the bodyLimit middleware where the body size limit could be bypassed when both Content-Length and Transfer-Encoding headers were present. If you are using this middleware, please update immediately. Security Advisory

What's Changed

• fix(client): Fix parseResponse not parsing json in react native by @​lr0pb in #​4399
• chore: add .tool-versions file by @​3w36zj6 in #​4397
• chore: update bun install commands to use --frozen-lockfile by @​3w36zj6 in #​4398
• test(jwk): Add tests of JWK token verification by @​buckett in #​4402

New Contributors

• @​lr0pb made their first contribution in #​4399
• @​buckett made their first contribution in #​4402

Full Changelog: honojs/hono@v4.9.6...v4.9.7

v4.9.6

Compare Source

Security

Fixed a bug in URL path parsing (getPath) that could cause path confusion under malformed requests.

If you rely on reverse proxies (e.g. Nginx) for ACLs or restrict access to endpoints like /admin, please update immediately.

See advisory for details: GHSA-9hp6-4448-45g2

What's Changed

• chore: update packages in the router bench by @​yusukebe in #​4386
• chore(benchmarks): remove comment-out from router bench by @​yusukebe in #​4387

Full Changelog: honojs/hono@v4.9.5...v4.9.6

v4.9.5

Compare Source

What's Changed

• chore: replace supertest with undici by @​BarryThePenguin in #​4365
• fix(aws-lambda): preserve percent-encoded values in query strings by @​yusukebe in #​4372
• feat(cors): Allow async functions for origin and allowMethods by @​jobrk in #​4373
• feat(cors): Correct origin function return type asynchronously returning null or undefined for origin by @​jobrk in #​4375
• fix(service-worker): correct args for app.fetch in handle by @​yusukebe in #​4374
• fix(language-detector): Detect language from path after getPath changed by @​iflamed in #​4369

New Contributors

• @​jobrk made their first contribution in #​4373
• @​iflamed made their first contribution in #​4369

Full Changelog: honojs/hono@v4.9.4...v4.9.5

v4.9.4

Compare Source

What's Changed

• chore: add a type cast to run deno publish by @​yusukebe in #​4364

Full Changelog: honojs/hono@v4.9.3...v4.9.4

v4.9.3

Compare Source

What's Changed

• feat(csrf): Add modern CSRF protection with Fetch Metadata support by @​meck93 in #​4353
• tests: use vitest projects by @​BarryThePenguin in #​4359
• feat(proxy): add customFetch option to allow custom fetch function by @​yusukebe in #​4360
• chore: update typescript to 5.9.2 by @​yusukebe in #​4362
• chore: add packageManager field to package.json by @​yusukebe in #​4363

Full Changelog: honojs/hono@v4.9.2...v4.9.3

v4.9.2

Compare Source

What's Changed

• fix(jsx): 'plaintext-only' value for contenteditable attribute by @​object1037 in #​4349
• fix(client): handle query parameters in removeIndexString by @​yusukebe in #​4352

New Contributors

• @​object1037 made their first contribution in #​4349

Full Changelog: honojs/hono@v4.9.1...v4.9.2

v4.9.1

Compare Source

What's Changed

• feat(parseResponse): set DetailedError.name (+ error tests) by @​NamesMT in #​4344
• fix(parseResponse): should not include error responses in result by @​NamesMT in #​4348

Full Changelog: honojs/hono@v4.9.0...v4.9.1

v4.9.0

Compare Source

Release Notes

Hono v4.9.0 is now available!

This release introduces several enhancements and utilities.

The main highlight is the new parseResponse utility that makes it easier to work with RPC client responses.

parseResponse Utility

The new parseResponse utility provides a convenient way to parse responses from Hono RPC clients (hc). It automatically handles different response formats and throws structured errors for failed requests.

import { parseResponse, DetailedError } from 'hono/client'

// result contains the parsed response body (automatically parsed based on Content-Type)
const result = await parseResponse(client.hello.$get()).catch(
  // parseResponse automatically throws an error if response is not ok
  (e: DetailedError) => {
    console.error(e)
  }
)

This makes working with RPC client responses much more straightforward and type-safe.

Thanks @​NamesMT!

New features

• feat(bun): allow importing upgradeWebSocket and websocket directly #​4242
• feat(aws-lambda): specify content-type as binary #​4250
• feat(jwt): add validation for the issuer (iss) claim #​4253
• feat(jwk): add headerName to JWK middleware #​4279
• feat(cookie): add generateCookie and generateSignedCookie helpers #​4285
• feat(serve-static): use join to correct path resolution #​4291
• feat(jwt): expose utility function verifyWithJwks for external use #​4302
• feat: add parseResponse util to smartly parse hc's Response #​4314
• feat(ssg): mark old hook options as deprecated #​4331

All changes

• feat(aws-lambda): specify content-type as binary by @​Kanahiro in #​4250
• feat(jwt): added validation for the issuer (iss) claim by @​yolocat-dev in #​4253
• feat(jwk): Add custom headerName to JWK middleware by @​JoaquinGimenez1 in #​4279
• feat(cookie): generateCookie and generateSignedCookie helpers by @​Soviut in #​4285
• feat(serve-static): use join to correct path resolution by @​yusukebe in #​4291
• feat(jwt): Exposing utility function verifyWithJwks for external use by @​Beyondo in #​4302
• feat: add parseResponse util to smartly parse hc's Response by @​NamesMT in #​4314
• feat(ssg): mark old hook options as deprecated by @​3w36zj6 in #​4331
• fix(bun): exports functions related to websocket by @​yusukebe in #​4341
• Next by @​yusukebe in #​4340
• chore: enable skipLibCheck to resolve TypeScript compilation issues by @​yusukebe in #​4342

New Contributors

• @​yolocat-dev made their first contribution in #​4253
• @​JoaquinGimenez1 made their first contribution in #​4279
• @​Soviut made their first contribution in #​4285

Full Changelog: honojs/hono@v4.8.12...v4.9.0

v4.8.12

Compare Source

What's Changed

• fix(router): support /files/:name{.*} by @​yusukebe in #​4329

Full Changelog: honojs/hono@v4.8.11...v4.8.12

v4.8.11

Compare Source

What's Changed

• fix(types): should populate output type for c.body() by @​NamesMT in #​4318
• ci: add editorconfig-checker by @​3w36zj6 in #​4321
• fix(service-worker): pass FetchEvent as second argument to app.fetch by @​yusukebe in #​4328
• chore(ci): upgrade bun version to 1.2.19 by @​BarryThePenguin in #​4323
• chore: bump @hono/eslint-config by @​yusukebe in #​4330
• chore: autofix ci by @​BarryThePenguin in #​4322

Full Changelog: honojs/hono@v4.8.10...v4.8.11

v4.8.10

Compare Source

What's Changed

• chore: add EditorConfig by @​3w36zj6 in #​4309
• chore: format JSON, YAML, and Markdown by @​yusukebe in #​4310
• chore: format and lint benchmarks/* by @​yusukebe in #​4317
• refactor(types): bring adapter/service-worker types up to date by @​idealsh in #​4315
• chore: add editorconfig-checker by @​3w36zj6 in #​4312
• fix(cookie): support lowercase priority for compatibility with other libraries by @​bytaesu in #​4293

New Contributors

• @​idealsh made their first contribution in #​4315
• @​bytaesu made their first contribution in #​4293

Full Changelog: honojs/hono@v4.8.9...v4.8.10

v4.8.9

Compare Source

What's Changed

• fix(context): use isByteString in c.redirect by @​yusukebe in #​4307

Full Changelog: honojs/hono@v4.8.8...v4.8.9

v4.8.8

Compare Source

What's Changed

• docs: simplify the readme by @​yusukebe in #​4305
• fix(utils/url): prevent double encoding in safeEncodeURI by @​yusukebe in #​4306

Full Changelog: honojs/hono@v4.8.7...v4.8.8

v4.8.7

Compare Source

What's Changed

• chore: fix the deno version for publishing to jsr by @​yusukebe in #​4304

Full Changelog: honojs/hono@v4.8.6...v4.8.7

v4.8.6

Compare Source

What's Changed

• perf(types): remove unnecessary default types by @​yusukebe in #​4282
• fix(context): encode the redirect location by @​yayugu in #​4297

Full Changelog: honojs/hono@v4.8.5...v4.8.6

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.