Hono Improperly Authorizes JWT Audience Validation

Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. This issue has been patched in version 4.10.2.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

授权机制不恰当

Hono 授权问题漏洞

Hono是Hono社区的一个用 TypeScript 编写的 Web 框架。 Hono 1.1.0版本至4.10.2之前版本存在授权问题漏洞，该漏洞源于JWT Auth Middleware缺少内置受众验证选项，可能导致令牌混淆和跨服务访问问题。

N/A

N/A