Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hono Improperly Authorizes JWT Audience Validation
Vulnerability Description
Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. This issue has been patched in version 4.10.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Vulnerability Type
授权机制不恰当
Vulnerability Title
Hono 授权问题漏洞
Vulnerability Description
Hono是Hono社区的一个用 TypeScript 编写的 Web 框架。 Hono 1.1.0版本至4.10.2之前版本存在授权问题漏洞,该漏洞源于JWT Auth Middleware缺少内置受众验证选项,可能导致令牌混淆和跨服务访问问题。
CVSS Information
N/A
Vulnerability Type
N/A