chore(deps): update dependency hono to v4.10.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
hono (source)	4.9.11 -> 4.10.3

GitHub Vulnerability Alerts

CVE-2025-62610

Improper Authorization in Hono (JWT Audience Validation)

Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up).

The issue is addressed by adding a new verification.aud configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification.

Recommended secure configuration

You can enable RFC 7519–compliant audience validation using the new verification.aud option:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
  '/api/*',
  jwt({
    secret: 'my-secret',
    verification: {
      // Require this API to only accept tokens with aud = 'service-a'
      aud: 'service-a',
    },
  })
)

Below is the original description by the reporter. For security reasons, it does not include PoC reproduction steps, as the vulnerability can be clearly understood from the technical description.

---

The original description by the reporter

Summary

Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim.

Note: This problem likely exists in the JWK/JWKS-based middleware as well (e.g., jwk / verifyWithJwks)

Details

• The middleware’s verifyOptions enumerate only iss, nbf, iat, and exp; there is no aud option. The same omission appears in the JWT Helper’s “Payload Validation” list. Developers relying on the middleware for complete standards-aligned validation therefore won’t check audience by default.
• Standards requirement: RFC 7519 §4.1.3 states that each principal intended to process the JWT MUST identify itself with a value in the aud claim; if it does not, the JWT MUST be rejected (when aud is present). Lack of a first-class aud check increases the risk that tokens issued for Service B are accepted by Service A.
• Real-world effect: In deployments with a single IdP/JWKS and shared keys across multiple services, a token minted for one audience can be mistakenly accepted by another audience unless developers implement a custom audience check.
  • For example, with Google Identity (OIDC), iss is always https://accounts.google.com (shared across apps), but aud differs per application because it is that app’s OAuth client ID; therefore, an attacker can host a separate service that supports “Sign in with Google,” obtain a valid ID token (JWT) for the victim user, and—if your API does not verify aud—use that token to access your API with the victim’s privileges.

Impact

Type: Authentication/authorization weakness via token mix-up (confused-deputy).

Who is impacted: Any Hono user who:

• shares an issuer/keys across multiple services (common with a single IdP/JWKS)
• distinguishes tokens by intended recipient using aud.

What can happen:

• Cross-service access: A token for Service B may be accepted by Service A.
• Boundary erosion: ID tokens and access tokens, or separate API audiences, can be inadvertently intermixed.
  • This may causes unauthorized invocation of sensitive endpoints.

Recommended remediation:

1. Add verifyOptions.aud (string | string[] | RegExp) to the middleware and enforce RFC 7519 semantics: In verify method, if aud is present and does not match with specified audiences, reject.
2. Ensure equivalent aud handling exists in the JWK/JWKS flow (jwk middleware / verifyWithJwks) so users of external IdPs can enforce audience consistently.

GHSA-q7jf-gf43-6x6p

Summary

A flaw in the CORS middleware allowed request Vary headers to be reflected into the response, enabling attacker-controlled Vary values and potentially affecting cache behavior.

Details

The middleware previously copied the Vary header from the request when origin was not set to "*". Since Vary is a response header that should only be managed by the server, this could allow an attacker to influence caching behavior or cause inconsistent CORS handling.

Most environments will see impact only when shared caches or proxies rely on the Vary header. The practical effect varies by configuration.

Impact

May cause cache key pollution and inconsistent CORS enforcement in certain setups. No direct confidentiality, integrity, or availability impact in default configurations.

Resolution

Update to the latest patched release. The CORS middleware has been corrected to handle Vary exclusively as a response header.

---

Release Notes

honojs/hono (hono)

v4.10.3

Compare Source

Securiy Fix

A security issue in the CORS middleware has been fixed. In some cases, a request header could affect the Vary response header. Please update to the latest version if you are using the CORS middleware.

What's Changed

• fix(aws-lambda): serve microsoft office files as binary in lambda handler by @​matthiasfeist in #​4469
• fix(request-id): validation accepts = by @​ryuapp in #​4478
• refactor(jwt): reduce the size of the code generated by minification by @​usualoma in #​4480

New Contributors

• @​matthiasfeist made their first contribution in #​4469

Full Changelog: honojs/hono@v4.10.2...v4.10.3

v4.10.2

Compare Source

v4.10.1

Compare Source

What's Changed

• fix(types): cannot .use non-return mw from createMiddleware by @​NamesMT in #​4465

Full Changelog: honojs/hono@v4.10.0...v4.10.1

v4.10.0

Compare Source

Release Notes

Hono v4.10.0 is now available!

This release brings improved TypeScript support and new utilities.

The main highlight is the enhanced middleware type definitions that solve a long-standing issue with type safety for RPC clients.

Middleware Type Improvements

Imagine the following app:

import { Hono } from 'hono'

const app = new Hono()

const routes = app.get(
  '/',
  (c) => {
    return c.json({ errorMessage: 'Error!' }, 500)
  },
  (c) => {
    return c.json({ message: 'Success!' }, 200)
  }
)

The client with RPC:

import { hc } from 'hono/client'

const client = hc<typeof routes>('/')

const res = await client.index.$get()

if (res.status === 500) {
}

if (res.status === 200) {
}

Previously, it couldn't infer the responses from middleware, so a type error was thrown.

Now the responses are correctly typed.

---

This was a long-standing issue and we were thinking it was super difficult to resolve it. But now come true.

Thank you for the great work @​slawekkolodziej!

cloneRawRequest Utility

The new cloneRawRequest utility allows you to clone the raw Request object after it has been consumed by validators or middleware.

import { cloneRawRequest } from 'hono/request'

app.post('/api', async (c) => {
  const body = await c.req.json()

  // Clone the consumed request
  const clonedRequest = cloneRawRequest(c.req)
  await externalLibrary.process(clonedRequest)
})

Thanks @​kamaal111!

New features

• feat(types): passing middleware types #​4393
• feat(ssg): add default plugin that defines the recommended behavior #​4394
• feat(request): add cloneRawRequest utility for request cloning #​4382

All changes

• feat(types): passing middleware types by @​slawekkolodziej in #​4393
• feat(ssg): add default plugin that defines the recommended behavior by @​3w36zj6 in #​4394
• feat(request): add cloneRawRequest utility for request cloning by @​kamaal111 in #​4382
• fix(proxy): Correct hop-by-hop header handling per RFC 9110 by @​sugar-cat7 in #​4459

New Contributors

• @​slawekkolodziej made their first contribution in #​4393
• @​kamaal111 made their first contribution in #​4382

Full Changelog: honojs/hono@v4.9.12...v4.10.0

v4.9.12

Compare Source

What's Changed

• refactor: internal structure of PreparedRegExpRouter for optimization and added tests by @​usualoma in #​4456
• refactor: use protected methods instead of computed properties to allow tree shaking by @​usualoma in #​4458

Full Changelog: honojs/hono@v4.9.11...v4.9.12

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 22f8fba

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

⛔ Ignored keywords (1)

• chore(deps)

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	10f5d3b
Status:	✅ Deploy successful!
Preview URL:	https://3285f16b.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	db18861
Status:	✅ Deploy successful!
Preview URL:	https://ea1f441f.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	df200bc
Status:	✅ Deploy successful!
Preview URL:	https://348ef951.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	7ffee9c
Status:	✅ Deploy successful!
Preview URL:	https://838e9945.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	b605949
Status:	✅ Deploy successful!
Preview URL:	https://21cbeb58.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	7958062
Status:	✅ Deploy successful!
Preview URL:	https://33194c75.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	98dd59a
Status:	✅ Deploy successful!
Preview URL:	https://59437740.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	68e8dbc
Status:	✅ Deploy successful!
Preview URL:	https://d119a55a.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	c430cb7
Status:	✅ Deploy successful!
Preview URL:	https://12669b84.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	3a5f85f
Status:	✅ Deploy successful!
Preview URL:	https://fe02fd84.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	e76dfbe
Status:	✅ Deploy successful!
Preview URL:	https://92d543ef.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	59a1d4f
Status:	✅ Deploy successful!
Preview URL:	https://50604a4c.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	42295bd
Status:	✅ Deploy successful!
Preview URL:	https://637c6f31.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	4d15731
Status:	✅ Deploy successful!
Preview URL:	https://418dc2fe.cloudflare-turbo-cache-docs.pages.dev

[github-actions]

🌩 Deploying with Cloudflare Pages

Name	Result
Last commit:	22f8fba
Status:	✅ Deploy successful!
Preview URL:	https://bc7d7998.cloudflare-turbo-cache-docs.pages.dev