*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe. This can allow an attacker to bypass CSRF protection implemented with Hono CSRF middleware. Version 4.6.5 fixes this issue.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-32869
### Vulnerable Library - hono-2.3.1.tgz
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where `main.ts` is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for the issue.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-43787
### Vulnerable Library - hono-2.3.1.tgz
Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware using upper-case form-like MIME type. This vulnerability is fixed in 4.5.8.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-50710
### Vulnerable Library - hono-2.3.1.tgz
Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. Version 3.11.7 includes the change to fix this issue. As a workaround, avoid using TrieRouter directly.
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-48913
### Vulnerable Library - hono-2.3.1.tgzUltrafast web framework for Cloudflare Workers.
Library home page: https://registry.npmjs.org/hono/-/hono-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - hono-minimal-0.0.1.tgz (Root Library) - :x: **hono-2.3.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsHono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe. This can allow an attacker to bypass CSRF protection implemented with Hono CSRF middleware. Version 4.6.5 fixes this issue.
Publish Date: 2024-10-15
URL: CVE-2024-48913
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/honojs/hono/security/advisories/GHSA-2234-fmw7-43wr
Release Date: 2024-10-15
Fix Resolution: hono - 4.6.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-32869
### Vulnerable Library - hono-2.3.1.tgzUltrafast web framework for Cloudflare Workers.
Library home page: https://registry.npmjs.org/hono/-/hono-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - hono-minimal-0.0.1.tgz (Root Library) - :x: **hono-2.3.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsHono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where `main.ts` is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for the issue.
Publish Date: 2024-04-23
URL: CVE-2024-32869
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347
Release Date: 2024-04-23
Fix Resolution: hono - 4.2.7
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-43787
### Vulnerable Library - hono-2.3.1.tgzUltrafast web framework for Cloudflare Workers.
Library home page: https://registry.npmjs.org/hono/-/hono-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - hono-minimal-0.0.1.tgz (Root Library) - :x: **hono-2.3.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsHono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware using upper-case form-like MIME type. This vulnerability is fixed in 4.5.8.
Publish Date: 2024-08-22
URL: CVE-2024-43787
### CVSS 3 Score Details (5.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5
Release Date: 2024-08-22
Fix Resolution: hono - 4.5.8
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-50710
### Vulnerable Library - hono-2.3.1.tgzUltrafast web framework for Cloudflare Workers.
Library home page: https://registry.npmjs.org/hono/-/hono-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - hono-minimal-0.0.1.tgz (Root Library) - :x: **hono-2.3.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsHono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. Version 3.11.7 includes the change to fix this issue. As a workaround, avoid using TrieRouter directly.
Publish Date: 2023-12-14
URL: CVE-2023-50710
### CVSS 3 Score Details (4.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/honojs/hono/security/advisories/GHSA-f6gv-hh8j-q8vq
Release Date: 2023-12-14
Fix Resolution: hono - 3.11.7
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)