Hono has Body Limit Middleware Bypass
A flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present.
Advisories for Npm/Hono package
2025
Hono's flaw in URL path parsing could cause path confusion
A flaw in the getPath utility function could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks).
2024
Hono allows bypass of CSRF Middleware by a request without Content-Type header.
Bypass CSRF Middleware by a request without Content-Type herader.
Hono CSRF middleware can be bypassed using crafted Content-Type header
Hono CSRF middleware can be bypassed using crafted Content-Type header.
Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
When using serveStatic with deno, it is possible to directory traverse where main.ts is located. My environment is configured as per this tutorial https://hono.dev/getting-started/deno
2023
Improper Control of Generation of Code ('Code Injection')
Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. Version 3.11.7 includes the …