Skip to content

[Aikido] Fix 36 security issues in hono, fast-uri#6

Open
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-59595275-hypn
Open

[Aikido] Fix 36 security issues in hono, fast-uri#6
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-59595275-hypn

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jul 2, 2026

Copy link
Copy Markdown

Upgrade Hono and fast-uri to fix path traversal, CORS credential bypass, and URI normalization bypass vulnerabilities.

✅ Code not affected by breaking changes.

✅ No breaking changes affect this codebase. The fast-uri package is only used as a transitive dependency through ajv, which is used by the conf package. However, the Conf instance in apps/cli/src/config/store.ts is created without any schema validation (no schema option is passed). Since the breaking change only affects URI fragment parsing during JSON schema validation, and this codebase doesn't use schema validation with conf, the upgrade will not cause any issues.

All breaking changes by upgrading fast-uri from version 3.1.0 to 3.1.3 (CHANGELOG)

Version Description
3.1.2
Handle malformed fragment decoding as a parse error - previously accepted malformed fragments will now fail to parse
✅ 36 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-39408
HIGH
[hono] Path traversal vulnerability in toSSG() allows attackers to write files outside the configured output directory during static site generation using specially crafted dynamic route parameters. This enables arbitrary file write attacks that could compromise system integrity.
AIKIDO-2026-11187
HIGH
[hono] CORS middleware with credentials enabled and wildcard origin incorrectly reflects the request Origin header instead of rejecting it, allowing any third-party page to make credentialed cross-origin requests and read cookie-authenticated API responses.
CVE-2026-54290
HIGH
[hono] CORS middleware with credentials enabled and default wildcard origin incorrectly reflects any request origin, allowing arbitrary sites to make credentialed cross-origin requests and access cookie-authenticated endpoints.
AIKIDO-2026-10704
MEDIUM
[hono] A body size limit middleware vulnerability allowed oversized payloads to bypass the limit check and reach application logic when Content-Length was missing or bodies were chunked, due to asynchronous limit enforcement. This could enable DoS attacks or unintended data processing despite configured size restrictions.
CVE-2026-47673
MEDIUM
[hono] JWT and JWK middlewares fail to verify the Authorization header uses the Bearer scheme, allowing authentication bypass when valid JWTs are presented with alternative scheme identifiers like Basic or Token.
AIKIDO-2026-571543
MEDIUM
[hono] The body-limit middleware on AWS Lambda adapters can be bypassed by declaring a small Content-Length header while sending a larger actual body, allowing oversized payloads to pass validation checks. This vulnerability enables denial-of-service attacks and potential remote code execution through request body processing.
CVE-2026-54288
MEDIUM
[hono] Body Limit Middleware improperly validates request size by trusting the Content-Length header instead of actual payload size, allowing attackers to bypass limits and send oversized bodies on AWS Lambda environments, potentially causing DoS or resource exhaustion.
CVE-2026-44455
MEDIUM
[hono] Improper handling of JSX element tag names allows unvalidated tag names to be inserted into HTML output during server-side rendering, enabling HTML injection attacks when untrusted input is used as tag names via jsx() or createElement() APIs.
AIKIDO-2026-11189
MEDIUM
[hono] A path traversal vulnerability in the serve-static middleware allows attackers to bypass authentication guards on Windows by using encoded backslashes in URLs to access protected static files. The vulnerability enables unauthenticated file disclosure without escaping the configured root directory.
CVE-2026-54286
MEDIUM
[hono] Path traversal vulnerability on Windows where encoded backslashes (%5C) in request paths are decoded and treated as separators, allowing attackers to bypass middleware protections and read arbitrary static files.
CVE-2026-39407
MEDIUM
[hono] Path handling inconsistency in serveStatic allows bypassing route-based authorization middleware by using repeated slashes (//) in request paths, enabling unauthorized access to protected static files.
CVE-2026-39409
MEDIUM
[hono] The ipRestriction() middleware fails to canonicalize IPv4-mapped IPv6 addresses before applying IPv4 allow/deny rules, allowing attackers to bypass IP-based access controls in dual-stack environments.
GHSA-26pp-8wgv-hjvm
MEDIUM
[hono] Cookie names are not validated in setCookie(), serialize(), or serializeSigned(), allowing invalid characters that can cause malformed Set-Cookie headers and runtime errors when processing untrusted cookie names.
AIKIDO-2026-10776
MEDIUM
[hono] Cache middleware improperly caches responses with varying Authorization or Cookie headers, allowing cached user-specific data to be served to different authenticated users, resulting in information disclosure.
CVE-2026-44457
MEDIUM
[hono] Cache Middleware fails to skip caching for responses with Vary: Authorization or Vary: Cookie headers, allowing cached responses from one authenticated user to be served to other users, resulting in information disclosure.
CVE-2026-47674
MEDIUM
[hono] The ip-restriction middleware fails to match non-canonical IPv6 representations against configured rules, allowing attackers to bypass IP-based access controls through alternative address formats.
CVE-2026-47675
MEDIUM
[hono] The serialize() function fails to validate sameSite and priority cookie options against characters that corrupt Set-Cookie headers, allowing attackers to inject arbitrary cookie attributes through user-controlled input, potentially leading to session hijacking or other cookie-based attacks.
CVE-2026-47676
MEDIUM
[hono] Path traversal vulnerability in app.mount() where percent-encoded multi-byte characters cause incorrect prefix stripping, allowing mounted sub-applications to receive unintended paths and potentially bypass security controls or access restricted resources.
AIKIDO-2026-943075
MEDIUM
[hono] The AWS Lambda adapter incorrectly merges multiple Set-Cookie headers into a single comma-separated value, causing clients to misparsed cookies and potentially drop session or CSRF tokens, breaking authentication. This is fixed by emitting Set-Cookie as an array instead.
CVE-2026-54287
MEDIUM
[hono] On AWS Lambda, ALB and VPC Lattice improperly join multiple Set-Cookie headers with commas, causing clients to misparse or drop cookies due to comma-separated formatting conflicts with cookie attributes like Expires dates.
GHSA-v8w9-8mx6-g223
MEDIUM
[hono] Prototype pollution vulnerability in parseBody({ dot: true }) where specially crafted form field names like __proto__.x create objects with __proto__ properties, potentially enabling prototype pollution if merged unsafely into other objects.
CVE-2026-39410
MEDIUM
[hono] A discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed, enabling attacker-controlled cookies to override legitimate ones through key normalization.
AIKIDO-2026-362336
MEDIUM
[hono] A Lambda@Edge adapter vulnerability causes multi-value HTTP headers to be overwritten instead of preserved, resulting in incomplete header chains reaching application middleware and potentially bypassing access control or auditing mechanisms that depend on complete header data.
CVE-2026-54289
MEDIUM
[hono] A vulnerability in the AWS Lambda@Edge adapter causes repeated HTTP headers to be silently truncated to only the last value instead of preserving all entries, potentially weakening access control decisions based on header chains like X-Forwarded-For and compromising audit trails.
AIKIDO-2026-10703
MEDIUM
[hono] JSX runtime fails to sanitize tag names in jsx() and createElement(), allowing untrusted tag input to inject markup and reshape generated HTML, potentially enabling XSS attacks.
AIKIDO-2026-10775
MEDIUM
[hono] JSX style-object serialization fails to properly escape CSS declaration context, allowing untrusted style values or property names to inject additional CSS declarations. This enables UI manipulation and style-driven data exfiltration attacks.
CVE-2026-44458
MEDIUM
[hono] The JSX renderer fails to properly escape style attribute object values for CSS, allowing untrusted input to inject additional CSS declarations. This enables CSS injection attacks but does not permit JavaScript execution or HTML attribute breakout.
CVE-2026-56761
MEDIUM
[hono] HTML injection vulnerability in JSX server-side rendering allows attackers to inject arbitrary HTML by crafting malformed attribute names with special characters, potentially enabling XSS attacks and unauthorized content injection.
AIKIDO-2026-10774
LOW
[hono] JWT verification accepts malformed NumericDate claims for expiration, not-before, and issued-at fields, allowing falsy, non-finite, or non-numeric values to bypass time-based validation checks. This weakens token lifetime security by permitting invalid tokens to be accepted.
CVE-2026-44459
LOW
[hono] Improper JWT NumericDate claim validation allows malformed exp, nbf, and iat values to bypass time-based checks, enabling authentication bypass when applications issue non-compliant tokens or signing keys are compromised.
CVE-2026-44456
LOW
[hono] bodyLimit() middleware fails to enforce maximum request size for chunked transfer encoding, allowing oversized requests to bypass the limit and reach handlers, potentially causing denial of service or resource exhaustion.
AIKIDO-2026-10336
LOW
[hono] Accept header parsing uses a vulnerable regex that causes catastrophic backtracking when processing crafted headers with many segments, enabling denial of service attacks through CPU exhaustion.
CVE-2026-6321
HIGH
[fast-uri] A vulnerability in URI normalization allows attackers to bypass path-based access controls by using percent-encoded separators and dot segments that normalize to unintended paths. This enables policy bypass attacks where restricted paths can be accessed through specially crafted encoded URLs.
CVE-2026-6322
HIGH
[fast-uri] Normalize function improperly decodes percent-encoded authority delimiters in the host component, re-emitting them as raw delimiters during serialization. This allows attackers to bypass host allowlist checks and redirect requests to unintended authorities.
AIKIDO-2026-10784
HIGH
[fast-uri] A path normalization vulnerability allows attackers to bypass security checks by using percent-encoded slashes and dots that are decoded before dot-segment removal, causing distinct URIs to normalize identically and compare equal.
AIKIDO-2026-507986
HIGH
[fast-uri] A security bypass vulnerability exists in host canonicalization for Unicode/IDN values due to inconsistent ASCII/Unicode host handling, which could allow attackers to bypass security checks through improper host normalization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants