Update dependency hono to v4.12.18 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
hono (source)	4.12.16 → 4.12.18

---

Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

CVE-2026-44457 / GHSA-p77w-8qqv-26rm

More information

Details

Summary

Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users.

Details

The Cache Middleware skips caching when a response carries Vary: *, certain Cache-Control directives (private, no-store, no-cache), or Set-Cookie. However, Vary: Authorization and Vary: Cookie — the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses — are not treated as cache-skip reasons.

This issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on Vary: Authorization or Vary: Cookie to scope the response per user, without also setting Cache-Control: private.

Impact

A user may receive a cached response that was originally generated for a different authenticated user. This may lead to:

• Disclosure of personally identifiable information or other user-specific data present in the response body
• Inconsistent or incorrect behavior in user-specific endpoints

This issue affects applications that use the Cache Middleware on endpoints whose responses vary by Authorization or Cookie and that do not also set Cache-Control: private.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rm
• https://github.com/advisories/GHSA-p77w-8qqv-26rm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

CVE-2026-44459 / GHSA-hm8q-7f3q-5f36

More information

Details

Summary

Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.

Details

The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:

• A falsy numeric value short-circuited the presence check.
• A non-finite numeric value compared as never-after-now and never-expired.
• A non-numeric type produced NaN comparisons that evaluated false.

This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.

Impact

An actor able to issue tokens accepted by the application may craft tokens whose exp, nbf, or iat claims silently bypass time-based enforcement. This may lead to:

• Tokens treated as never expiring even with exp configured on the verifier.
• Tokens with a future nbf accepted as currently valid.
• Tokens with a future iat accepted as legitimately issued.

Deployments using a well-formed token issuer and protecting the signing key are not affected.

Severity

• CVSS Score: 3.8 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36
• https://github.com/advisories/GHSA-hm8q-7f3q-5f36

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono has CSS Declaration Injection via Style Object Values in JSX SSR

CVE-2026-44458 / GHSA-qp7p-654g-cw7p

More information

Details

Summary

The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout.

Details

style object values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries — such as ;, comment markers, quoted strings, and block delimiters — are valid in HTML attribute content and can extend a value beyond its assigned property.

This issue arises when untrusted input is interpolated into a JSX style object and rendered server-side.

Impact

An attacker who can control the value or property name of a style object may inject arbitrary CSS declarations. This may lead to:

• Visual manipulation of the page, including full-viewport overlays usable for phishing
• Outbound requests to attacker-controlled hosts via CSS resource references such as url(...)
• Hijacking of UI affordances through layout, positioning, or visibility changes

This issue affects applications that render JSX on the server with style object values or property names derived from untrusted input.

Severity

• CVSS Score: 4.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-qp7p-654g-cw7p
• https://github.com/advisories/GHSA-qp7p-654g-cw7p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

honojs/hono (hono)

v4.12.18

Compare Source

v4.12.17

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.