- Description
- Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- hono
CVSS 3.1
- Type
- Secondary
- Base score
- 3.8
- Impact score
- 2.5
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
- Severity
- LOW
- security-advisories@github.com
- CWE-1284
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "5AB1A6FC-8475-4A23-9E63-46F3E6C5D264",
"versionEndExcluding": "4.12.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]