Hono allows bypass of CSRF Middleware by a request without Content-Type header.
Bypass CSRF Middleware by a request without Content-Type herader.
Advisories for Npm/Hono package
2024
Hono CSRF middleware can be bypassed using crafted Content-Type header
Hono CSRF middleware can be bypassed using crafted Content-Type header.
Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
When using serveStatic with deno, it is possible to directory traverse where main.ts is located. My environment is configured as per this tutorial https://hono.dev/getting-started/deno
2023
Improper Control of Generation of Code ('Code Injection')
Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. Version 3.11.7 includes the …