CVE-2026-44459

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
13/05/2026
Last modified:
13/05/2026

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:* 4.12.18 (excluding)