CVE-2025-62610
HIGH EPSS 26.9%
Published Oct 22, 20258mo ago · Modified Jun 17, 20262w ago
8.1 CVSS 3.1
Published Oct 22, 2025 8mo ago
Last Modified Jun 17, 2026 2w ago
Description
Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. This issue has been patched in version 4.10.2.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
26.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-285
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| hono | hono | * | ≥1.1.0 – <4.10.2 |
References 2
- github.com https://github.com/honojs/hono/commit/45ba3bf9e3dff8e4bd85d6b47d4b71c8d6c66bef
- github.com https://github.com/honojs/hono/security/advisories/GHSA-m732-5p4w-x69g
Remediation
- github.com https://github.com/honojs/hono/commit/45ba3bf9e3dff8e4bd85d6b47d4b71c8d6c66bef