Hono: Improper validation of NumericDate claims (exp, nbf, iat) in...

3.8 / 10

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.

Basic Information

ID CVE-2026-44459

Source GitHub_M

Published May 13, 2026 at 15:02

Affected Product

Vendor honojs

Product hono

Version < 4.12.18

Affected Versions honojs hono < 4.12.18

CWE Classification

CWE-1284

References

github.com /honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36

{
    "lastseen": "",
    "description": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() \u2014 typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.",
    "published": "2026-05-13T15:02:23.872Z",
    "modified": "2026-05-13T15:02:23.872Z",
    "type": "cve",
    "title": "Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()",
    "source": "GitHub_M",
    "references": "https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36",
    "id": "CVE-2026-44459",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1284"
    ],
    "cvelist": null,
    "sourceData": "honojs hono < 4.12.18",
    "sourceHref": "",
    "cvss": {
        "score": 3.8,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "hono",
    "version": "< 4.12.18",
    "vendor": "honojs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()_CVE-2026-44459