
Hono shipped version 4.12.27 on July 8, patching three separate CVEs that affect server-side rendering, async context isolation, and AWS Lambda header handling. The framework now pulls 44 million weekly npm downloads and powers Cloudflare’s own infrastructure. These are not theoretical bugs in a niche library. They are in the runtime that most edge developers reach for first. Upgrade now.
The Race Condition That Can Leak One User’s Data Into Another’s Response
The most dangerous of the three is CVE-2026-59896 (CVSS 6.5). It lives in hono/jsx and it is a classic async context bleed.
When you use createContext, useContext, jsxRenderer, or useRequestContext inside async JSX components, Hono did not isolate context values per request. After an await suspension point, a different in-flight request could resume with the wrong context, meaning User A’s auth token, session data, or user ID could appear in User B’s rendered response.
This is the kind of vulnerability that passes every local test you run. It surfaces in production under concurrency. Low-traffic staging environments never reproduce it. The fix in 4.12.27 adds proper AsyncLocalStorage-based request isolation for all JSX context primitives.
Affected versions: 4.11.8 through 4.12.26. If you use hono/jsx with async components and context APIs, this is the priority.
The XSS From Your Own CSS Helper
CVE-2026-59895 (CVSS 6.1) is an XSS bug hiding in the hono/css helper’s cx() function, the utility for composing class names.
cx() was marking its output as already-escaped without actually HTML-escaping the input. When user-controlled strings flow through cx() into a JSX class attribute during SSR, an attacker can break out of the attribute context and inject arbitrary markup.
This affects versions 4.0.0 through 4.12.26, so it has been present for longer than the race condition. The pattern to audit in your codebase:
// Vulnerable: user input flows into cx()
const className = cx(req.query.theme);
return <div class={className}>content</div>;
// 4.12.27: cx() now properly escapes before marking safe
If you are not passing user input into cx(), you are not exposed. But if you build dynamic UI components where any part of a class name comes from external data, audit this immediately.
The AWS Adapter That Drops Header Values
CVE-2026-59897 (CVSS 4.8) is narrower. It only affects the AWS API Gateway v1 adapter in hono/aws-lambda. But its consequences are worse than the score suggests.
The adapter was de-duplicating repeated request headers using a substring comparison rather than an exact string match. For X-Forwarded-For headers with multiple values, the adapter silently drops values that are substrings of another value in the chain. Rate limiting middleware that reads the header chain to identify client IPs, IP allowlists, and audit logs all receive incomplete data and can be bypassed by crafting the header order deliberately. If you are deployed on AWS Lambda behind API Gateway v1 and relying on Hono’s header parsing for any security control, this needs a patch.
Prisma Users: Check Your npm Audit
Prisma’s @prisma/dev package carries Hono as a transitive dependency. Every Prisma 7.x project will surface these CVEs in npm audit output. While Prisma’s dev server is not typically Internet-facing, the flags are real. You can patch with an override while waiting on Prisma’s next release:
// package.json
"overrides": {
"hono": "^4.12.27"
}
How to Upgrade
The fix is one command:
npm install hono@latest
# Confirm version
node -e "console.log(require('hono/package.json').version)"
# Bun
bun update hono
# Deno
deno add npm:hono@4.12.27
All three CVEs are resolved in 4.12.27. There are no mitigations that substitute for upgrading. Hono moves fast and the team ships security fixes promptly. The 4.12.27 release is clean. Run the update.













