Security: honojs/hono
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
Report a vulnerability-
API Gateway v1 adapter can drop a distinct repeated request header value during de-duplicationGHSA-xgm2-5f3f-mvvc published
Jun 23, 2026 by yusukebeModerate -
Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)GHSA-wwfh-h76j-fc44 published
Jun 9, 2026 by yusukebeModerate -
Server-Side XSS via JSX Escaping Bypass in cx() UtilityGHSA-w62v-xxxg-mg59 published
Jun 23, 2026 by yusukebeModerate -
CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcardGHSA-88fw-hqm2-52qc published
Jun 9, 2026 by yusukebeHigh -
hono/jsx does not isolate context per request, leading to cross-request data disclosureGHSA-hvrm-45r6-mjfj published
Jun 23, 2026 by yusukebeModerate -
Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`GHSA-rv63-4mwf-qqc2 published
Jun 9, 2026 by yusukebeModerate -
Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the restGHSA-wgpf-jwqj-8h8p published
Jun 9, 2026 by yusukebeModerate -
AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and LatticeGHSA-j6c9-x7qj-28xf published
Jun 9, 2026 by yusukebeModerate -
app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded pathsGHSA-2gcr-mfcq-wcc3 published
May 19, 2026 by yusukebeModerate -
IP Restriction bypasses static deny rules for non-canonical IPv6GHSA-xrhx-7g5j-rcj5 published
May 19, 2026 by yusukebeModerate
Learn more about advisories related to honojs/hono in the GitHub Advisory Database