[Security]: Pylon installs Hono v4.8.1 as its dependency #108
Description
Describe the bug
I use Snyk security software and it reports these issues when using Hono v4.8.1:
- Use of Incorrectly-Resolved Name or Reference
- HTTP Request Smuggling
- Unverified Ownership
- HTTP Request Smuggling
Which I appreciate doesn't make sense, as I see the package.json files use carets (^) for the versioning.
Full report at the bottom of this description.
❯ npm ls hono
[email protected] /home/foo/bar
├─┬ @getcronit/[email protected]
│ └─┬ @getcronit/[email protected]
│ └── [email protected] deduped
└─┬ @getcronit/[email protected]
├─┬ @hono/[email protected]
│ └── [email protected] deduped
└── [email protected]To Reproduce
Steps to reproduce the behavior:
bun install @getcronit/pylonbun install -d @getcronit/pylon-devnpm ls hono
Expected behavior
For at least Hono v4.10.3 to be installed.
Desktop
- OS: Ubuntu 24.04
Additional context
Full report:
SNYK-JS-HONO-12485162: Use of Incorrectly-Resolved Name or Reference affecting hono package
Vulnerability | CVE-2025-58362 | CWE-706 | SNYK-JS-HONO-12485162
Fixed in: @4.9.6 | Exploit maturity: HIGHOverview
Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference via the getPath function in the utils/url.ts file. An attacker can gain unauthorized access to protected endpoints by sending specially crafted malformed absolute-form Request-URIs that cause incorrect path extraction, potentially bypassing proxy-level access controls.Remediation
Upgrade hono to version 4.9.6 or higher.
SNYK-JS-HONO-12668833: HTTP Request Smuggling affecting hono package
Vulnerability | CVE-2025-59139 | CWE-444 | SNYK-JS-HONO-12668833
Fixed in: @4.9.7 | Exploit maturity: MEDIUMOverview
Affected versions of this package are vulnerable to HTTP Request Smuggling via the bodyLimit middleware when conflicting HTTP headers are present. An attacker can cause excessive memory or CPU consumption by sending oversized request bodies that bypass the configured size limit.Note: This is exploitable if the deployment environment or runtime does not reject requests with both Content-Length and Transfer-Encoding: chunked headers.
Remediation
Upgrade hono to version 4.9.7 or higher.
SNYK-JS-HONO-13669873: Unverified Ownership affecting hono package
Vulnerability | CVE-2025-62610 | CWE-283 | SNYK-JS-HONO-13669873
Fixed in: @4.10.2 | Exploit maturity: HIGHOverview
Affected versions of this package are vulnerable to Unverified Ownership via the JWT authentication process. An attacker can gain unauthorized access to protected resources by presenting a valid token intended for a different audience when multiple services share the same issuer or keys.Workaround
Users should abstain from sharing an issuer/keys across multiple services (common with a single IdP/JWKS)Users should not distinguish tokens by intended recipient using aud.
Remediation
Upgrade hono to version 4.10.2 or higher.
SNYK-JS-HONO-13720736: HTTP Request Smuggling affecting hono package
Vulnerability | CWE-444 | SNYK-JS-HONO-13720736
Fixed in: @4.10.3 | Exploit maturity: MEDIUMOverview
Affected versions of this package are vulnerable to HTTP Request Smuggling via the CORS middleware, which copies the Vary header from the request to the response when the origin is not set to "*". An attacker can influence cache behavior or cause inconsistent cross-origin resource sharing enforcement by supplying crafted Vary headers in requests.Note: This is exploitable if shared caches or proxies rely on the Vary header for cache key calculation.
Remediation
Upgrade hono to version 4.10.3 or higher.