NewsJavaScriptSecurity

Hono 4.12.27 Patches Three CVEs: Upgrade Now

Shield protecting a web framework node diagram representing Hono security patch CVE-2026-59895 CVE-2026-59896 CVE-2026-59897
Hono 4.12.27 patches three CVEs affecting hono/css, hono/jsx, and hono/aws-lambda

Hono shipped version 4.12.27 on July 8, patching three separate CVEs that affect server-side rendering, async context isolation, and AWS Lambda header handling. The framework now pulls 44 million weekly npm downloads and powers Cloudflare’s own infrastructure. These are not theoretical bugs in a niche library. They are in the runtime that most edge developers reach for first. Upgrade now.

The Race Condition That Can Leak One User’s Data Into Another’s Response

The most dangerous of the three is CVE-2026-59896 (CVSS 6.5). It lives in hono/jsx and it is a classic async context bleed.

When you use createContext, useContext, jsxRenderer, or useRequestContext inside async JSX components, Hono did not isolate context values per request. After an await suspension point, a different in-flight request could resume with the wrong context, meaning User A’s auth token, session data, or user ID could appear in User B’s rendered response.

This is the kind of vulnerability that passes every local test you run. It surfaces in production under concurrency. Low-traffic staging environments never reproduce it. The fix in 4.12.27 adds proper AsyncLocalStorage-based request isolation for all JSX context primitives.

Affected versions: 4.11.8 through 4.12.26. If you use hono/jsx with async components and context APIs, this is the priority.

The XSS From Your Own CSS Helper

CVE-2026-59895 (CVSS 6.1) is an XSS bug hiding in the hono/css helper’s cx() function, the utility for composing class names.

cx() was marking its output as already-escaped without actually HTML-escaping the input. When user-controlled strings flow through cx() into a JSX class attribute during SSR, an attacker can break out of the attribute context and inject arbitrary markup.

This affects versions 4.0.0 through 4.12.26, so it has been present for longer than the race condition. The pattern to audit in your codebase:

// Vulnerable: user input flows into cx()
const className = cx(req.query.theme);
return <div class={className}>content</div>;

// 4.12.27: cx() now properly escapes before marking safe

If you are not passing user input into cx(), you are not exposed. But if you build dynamic UI components where any part of a class name comes from external data, audit this immediately.

The AWS Adapter That Drops Header Values

CVE-2026-59897 (CVSS 4.8) is narrower. It only affects the AWS API Gateway v1 adapter in hono/aws-lambda. But its consequences are worse than the score suggests.

The adapter was de-duplicating repeated request headers using a substring comparison rather than an exact string match. For X-Forwarded-For headers with multiple values, the adapter silently drops values that are substrings of another value in the chain. Rate limiting middleware that reads the header chain to identify client IPs, IP allowlists, and audit logs all receive incomplete data and can be bypassed by crafting the header order deliberately. If you are deployed on AWS Lambda behind API Gateway v1 and relying on Hono’s header parsing for any security control, this needs a patch.

Prisma Users: Check Your npm Audit

Prisma’s @prisma/dev package carries Hono as a transitive dependency. Every Prisma 7.x project will surface these CVEs in npm audit output. While Prisma’s dev server is not typically Internet-facing, the flags are real. You can patch with an override while waiting on Prisma’s next release:

// package.json
"overrides": {
  "hono": "^4.12.27"
}

How to Upgrade

The fix is one command:

npm install hono@latest

# Confirm version
node -e "console.log(require('hono/package.json').version)"

# Bun
bun update hono

# Deno
deno add npm:hono@4.12.27

All three CVEs are resolved in 4.12.27. There are no mitigations that substitute for upgrading. Hono moves fast and the team ships security fixes promptly. The 4.12.27 release is clean. Run the update.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News