Update dependency hono to v4.12.14 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
hono (source)	4.10.7 → 4.12.14

---

Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass

CVE-2026-22817 / GHSA-f67f-6cw9-8mq4

More information

Details

Summary

A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted.

Details

When verifying JWTs using JWKs or a JWKS endpoint, the middleware selected the verification algorithm based on the JWK’s alg field if present, but otherwise fell back to the alg value provided in the unverified JWT header.

Because the alg field in a JWK is optional and often omitted in real-world JWKS configurations, this behavior could allow an attacker to control the algorithm used for verification. In some environments, this may lead to authentication or authorization
bypass through crafted tokens.

The practical impact depends on application configuration, including which algorithms are accepted and how JWTs are used for authorization decisions.

Impact

In affected configurations, an attacker may be able to forge JWTs with attacker-controlled claims, potentially resulting in authentication or authorization bypass.

Applications that do not use the JWK/JWKS middleware, do not rely on JWT-based authentication, or explicitly restrict allowed algorithms are not affected.

Resolution

Update to the latest patched release.

Breaking change:

As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values.

Applications upgrading must update their configuration accordingly.

Before (vulnerable configuration)

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    // alg was optional
  })
)

After (patched configuration)

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    alg: 'HS256', // required
  })
)

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4
• https://nvd.nist.gov/vuln/detail/CVE-2026-22817
• https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f
• https://github.com/advisories/GHSA-f67f-6cw9-8mq4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)

CVE-2026-22818 / GHSA-3vhc-576x-3qv4

More information

Details

Summary

A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted.

Details

When verifying JWTs using JWKs or a JWKS endpoint, the middleware selected the verification algorithm based on the JWK’s alg field if present. If the JWK did not specify an algorithm, the middleware fell back to using the alg value provided in the unverified JWT header.

Because the alg field in a JWK is optional and commonly omitted in real-world JWKS configurations, this behavior could allow an attacker to influence which algorithm is used for verification. In some environments, this may result in authentication or authorization bypass through crafted JWTs.

The practical impact depends on application configuration, including which algorithms are accepted and how JWTs are used to make authorization decisions.

Impact

In affected configurations, an attacker may be able to forge JWTs with attacker-controlled claims, potentially leading to authentication or authorization bypass.

Applications that do not use the JWK/JWKS middleware, do not rely on JWT-based authentication, or explicitly restrict allowed algorithms are not affected.

Resolution

Update to the latest patched release.

Breaking change:

The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values.

Instead, callers must explicitly specify which asymmetric algorithms are permitted, and only tokens signed with those algorithms will be accepted. This prevents JWT algorithm confusion by ensuring that algorithm selection is fully controlled by application
configuration.

As part of this fix, the alg option is now required when using the JWK/JWKS middleware, and symmetric (HS*) algorithms are no longer accepted in this context.

Before (vulnerable configuration)

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    // alg was optional
  })
)

After (patched configuration)

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    alg: ['RS256'], // required: explicit asymmetric algorithm allowlist
  })
)

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4
• https://nvd.nist.gov/vuln/detail/CVE-2026-22818
• https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134
• https://github.com/advisories/GHSA-3vhc-576x-3qv4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

CVE-2026-24398 / GHSA-r354-f388-2fhh

More information

Details

Summary

IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The IPV4_REGEX pattern and convertIPv4ToBinary function in src/utils/ipaddr.ts do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls.

Details

The vulnerability exists in two components:

1. Permissive regex pattern: The IPV4_REGEX (/^[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}$/) accepts octet values greater than 255 (e.g., 999).
2. Unsafe binary conversion: The convertIPv4ToBinary function does not validate octet ranges before performing bitwise operations. When an octet exceeds 255, it overflows into adjacent octets during the bit-shift calculation.

For example, the IP address 1.2.2.355 is accepted and converts to the same binary value as 1.2.3.99:

• 355 = 256 + 99 = 0x163
• After bit-shifting: (1 << 24) + (2 << 16) + (2 << 8) + 355 = 0x01020363 = 1.2.3.99

Impact

An attacker can bypass IP-based restrictions by crafting malformed IP addresses:

• Blocklist bypass: If 1.2.3.0/24 is blocked, an attacker can use 1.2.2.355 (or similar) to bypass the restriction.
• Allowlist bypass: Requests from unauthorized IP ranges may be incorrectly permitted.

This is exploitable when the application relies on client-provided IP addresses (e.g., X-Forwarded-For header) for access control decisions.

Affected Components

• IP Restriction Middleware
• src/utils/ipaddr.ts: IPV4_REGEX, convertIPv4ToBinary, distinctRemoteAddr

Severity

• CVSS Score: 4.8 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh
• https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37
• https://github.com/honojs/hono/releases/tag/v4.11.7
• https://nvd.nist.gov/vuln/detail/CVE-2026-24398
• https://github.com/advisories/GHSA-r354-f388-2fhh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception

CVE-2026-24472 / GHSA-6wqw-2p9w-4vw4

More information

Details

Summary

Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as Cache-Control: private or Cache-Control: no-store, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users.

Details

The vulnerability exists in the cache decision logic of Cache Middleware. When determining whether a response should be cached, the middleware does not take HTTP cache control semantics into account and may cache responses that are explicitly marked as private by the application. While some runtimes, such as Cloudflare Workers, enforce cache control restrictions at the platform level, other runtimes including Deno, Bun, and Node.js rely on the middleware’s behavior. As a result, applications running on these runtimes may unintentionally cache sensitive responses.

Impact

This issue can lead to Web Cache Deception and information disclosure. If an authenticated user accesses an endpoint that returns user-specific or sensitive data and the response is cached despite being marked as private, subsequent unauthenticated requests may receive the cached response. This may result in the exposure of personally identifiable information or session-related data. The impact is limited to applications that use the hono/cache middleware and rely on it to correctly honor HTTP cache control directives.

Affected Components

• Cache Middleware

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4
• https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1
• https://github.com/honojs/hono/releases/tag/v4.11.7
• https://nvd.nist.gov/vuln/detail/CVE-2026-24472
• https://github.com/advisories/GHSA-6wqw-2p9w-4vw4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

CVE-2026-24473 / GHSA-w332-q679-j88p

More information

Details

Summary

Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys.

Details

The vulnerability exists in the serve-static middleware used with the Cloudflare Workers adapter. When serving static assets, the middleware does not sufficiently validate or restrict user-supplied paths before resolving them against the Workers asset storage.

As a result, an attacker may craft requests that access arbitrary keys beyond the intended static asset scope. This issue only affects applications running on Cloudflare Workers that use Serve static Middleware with user-controllable request paths.

Impact

This vulnerability may lead to information disclosure by allowing unauthorized access to internal assets or data stored in the Workers environment. The exposed data is limited to readable asset keys and does not allow modification of stored data or execution of arbitrary code.

The impact is limited to applications that use Serve static Middleware in the Cloudflare Workers adapter and rely on it to safely handle untrusted request paths.

Affected Components

• Serve static Middleware (Cloudflare Workers adapter)

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p
• https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817
• https://github.com/honojs/hono/releases/tag/v4.11.7
• https://nvd.nist.gov/vuln/detail/CVE-2026-24473
• https://github.com/advisories/GHSA-w332-q679-j88p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono vulnerable to XSS through ErrorBoundary component

CVE-2026-24771 / GHSA-9r54-q6cx-xmh5

More information

Details

Summary

A Cross-Site Scripting (XSS) vulnerability exists in the ErrorBoundary component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser.

Details

The issue is in the ErrorBoundary component (src/jsx/components.ts). ErrorBoundary previously forced certain rendered output paths to be treated as raw HTML, bypassing the library's default escaping behavior. This could result in unescaped rendering when developers pass user-controlled strings directly as children, or when fallbackRender returns user-controlled strings (for example, reflecting error messages that contain attacker input).

This vulnerability is only exploitable when an application renders untrusted user input within ErrorBoundary without appropriate escaping or sanitization.

Impact

Successful exploitation may allow attackers to execute arbitrary JavaScript in the victim’s browser (reflected XSS). Depending on the application context, this can lead to actions such as session compromise, data exfiltration, or performing unauthorized actions as the victim.

Affected Components

• hono/jsx: ErrorBoundary component

Severity

• CVSS Score: 4.7 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
• https://nvd.nist.gov/vuln/detail/CVE-2026-24771
• https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990
• https://github.com/advisories/GHSA-9r54-q6cx-xmh5

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono added timing comparison hardening in basicAuth and bearerAuth

GHSA-gq3j-xvxp-8hrf

More information

Details

Summary

The basicAuth and bearerAuth middlewares previously used a comparison that was not fully timing-safe.

The timingSafeEqual function used normal string equality (===) when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing differences.

The implementation has been updated to use a safer comparison method.

Details

The issue was caused by the use of normal string equality (===) when comparing hash values inside the timingSafeEqual function.

In JavaScript, string comparison may stop as soon as a difference is found. This means the comparison time can slightly vary depending on how many characters match.

Under very specific and controlled conditions, this behavior could theoretically allow timing-based analysis.

The implementation has been updated to:

• Avoid early termination during comparison
• Use a constant-time-style comparison method

Impact

This issue is unlikely to be exploited in normal environments.

It may only be relevant in highly controlled situations where precise timing measurements are possible.

This change is considered a security hardening improvement. Users are encouraged to upgrade to the latest version.

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-gq3j-xvxp-8hrf
• https://github.com/honojs/hono/commit/91def7cab654bad5eecc9270e6620d577971ff5e
• https://github.com/honojs/hono/releases/tag/v4.11.10
• https://github.com/advisories/GHSA-gq3j-xvxp-8hrf

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono vulnerable to arbitrary file access via serveStatic vulnerability

CVE-2026-29045 / GHSA-q5qw-h33p-qvwr

More information

Details

Summary

When using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization.

The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path.

Details

The routing layer preserved %2F as a literal string, while serveStatic decoded it into / before resolving the file path.

Example:

Request: /admin%2Fsecret.html

• Router sees: /admin%2Fsecret.html → does not match /admin/*
• Static handler resolves: /admin/secret.html

As a result, static files under the configured static root could be served without triggering route-based protections.

This only affects applications that both:

• Protect subpaths using route-based middleware, and
• Serve files from the same static root using serveStatic.

This does not allow access outside the static root and is not a path traversal vulnerability.

Impact

An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes.

Applications relying solely on route-based middleware to protect static subpaths may have exposed those resources.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr
• https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3
• https://nvd.nist.gov/vuln/detail/CVE-2026-29045
• https://github.com/advisories/GHSA-q5qw-h33p-qvwr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()

CVE-2026-29085 / GHSA-p6xx-57qc-3wxr

More information

Details

Summary

When using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters.

Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields.

Details

The SSE helper builds event frames by joining lines with \n. While multi-line data: fields are handled according to the SSE specification, the event, id, and retry fields previously allowed raw values without rejecting embedded CR/LF characters.

Including CR/LF in these control fields could allow unintended additional fields (such as data:, id:, or retry:) to be injected into the event stream.

The issue has been fixed by rejecting CR/LF characters in these fields.

Impact

An attacker could manipulate the structure of SSE event frames if an application passed user-controlled input directly into event, id, or retry.

Depending on application behavior, this could result in injected SSE fields or altered event stream handling. Applications that render e.data in an unsafe manner (for example, using innerHTML) could potentially expose themselves to client-side script injection.

This issue affects applications that rely on the SSE helper to enforce protocol-level constraints.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr
• https://github.com/honojs/hono/commit/f4123ed9ea3c7c52380cc99a079a4d773838846e
• https://nvd.nist.gov/vuln/detail/CVE-2026-29085
• https://github.com/advisories/GHSA-p6xx-57qc-3wxr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()

CVE-2026-29086 / GHSA-5pq2-9x2x-5p6w

More information

Details

Summary

The setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header.

Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields.

Details

setCookie() builds the Set-Cookie header by concatenating option values. While the cookie value itself is URL-encoded, the domain and path options were previously interpolated without rejecting unsafe characters.

Including ;, \r, or \n in these fields could result in unintended additional attributes (such as SameSite, Secure, Domain, or Path) being appended to the cookie header.

Modern runtimes prevent full header injection via CRLF, so this issue is limited to attribute-level manipulation within a single Set-Cookie header.

The issue has been fixed by rejecting these characters in the domain and path options.

Impact

An attacker may be able to manipulate cookie attributes if an application passes user-controlled input directly into the domain or path options of setCookie().

This could affect cookie scoping or security attributes depending on browser behavior. Exploitation requires application-level misuse of cookie options.

Severity

• CVSS Score: 5.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w
• https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073
• https://nvd.nist.gov/vuln/detail/CVE-2026-29086
• https://github.com/advisories/GHSA-5pq2-9x2x-5p6w

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono vulnerable to Prototype Pollution possible through proto key allowed in parseBody({ dot: true })

GHSA-v8w9-8mx6-g223

More information

Details

Summary

When using parseBody({ dot: true }) in HonoRequest, specially crafted form field names such as __proto__.x could create objects containing a __proto__ property.

If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the target object.

Details

The parseBody({ dot: true }) feature supports dot notation to construct nested objects from form field names.

In previous versions, the __proto__ path segment was not filtered. As a result, specially crafted keys such as __proto__.x could produce objects containing __proto__ properties.

While this behavior does not directly modify Object.prototype within Hono itself, it may become exploitable if the parsed result is later merged into regular JavaScript objects using unsafe merge patterns.

Impact

Applications that merge parsed form data into regular objects using unsafe patterns (for example recursive deep merge utilities) may become vulnerable to prototype pollution.

Severity

• CVSS Score: 4.8 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-v8w9-8mx6-g223
• https://github.com/honojs/hono/commit/ef902257e0beacbb83d2a9549b3b83e03514a6fe
• https://github.com/advisories/GHSA-v8w9-8mx6-g223

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono: Path traversal in toSSG() allows writing files outside the output directory

CVE-2026-39408 / GHSA-xf4j-xp2r-rqqx

More information

Details

Summary

A path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory.

Details

The static site generation process creates output files based on route paths derived from application routes and parameters. When ssgParams is used to provide values for dynamic routes, those values are used to construct output file paths. If these values contain traversal sequences (e.g. ..), the resulting output path may resolve outside the configured output directory. As a result, files may be written to unintended locations instead of being confined within the specified output directory.

For example:

import { Hono } from 'hono'
import { toSSG, ssgParams } from 'hono/ssg'

const app = new Hono()

app.get('/:id', ssgParams([{ id: '../pwned' }]), (c) => {
  return c.text('pwned')
})

toSSG(app, fs, { dir: './static' })

In this case, the generated output path may resolve outside ./static, resulting in a file being written outside the intended output directory.

Impact

An attacker who can influence values passed to ssgParams during the build process may be able to write files outside the intended output directory.

Depending on the build and deployment environment, this may:

• overwrite unintended files
• affect generated artifacts
• impact deployment outputs or downstream tooling

This issue is limited to build-time static site generation and does not affect request-time routing.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx
• https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679
• https://github.com/honojs/hono/releases/tag/v4.12.12
• https://nvd.nist.gov/vuln/detail/CVE-2026-39408
• https://github.com/advisories/GHSA-xf4j-xp2r-rqqx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono: Middleware bypass via repeated slashes in serveStatic

CVE-2026-39407 / GHSA-wmmm-f939-6g9c

More information

Details

Summary

A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.

When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.

Details

The routing layer and serveStatic handle repeated slashes differently.

For example:

/admin/secret.txt => matches /admin/*
/admin//secret.txt => may not match /admin/*

However, serveStatic may interpret both paths as the same file location (e.g., admin/secret.txt) and return the file.

This inconsistency allows a request such as:

GET //admin/secret.txt

to bypass middleware registered on /admin/* and access protected files.

The issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution.

Impact

An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.

This can lead to unauthorized access to sensitive files under the static root.

This issue affects applications that rely on serveStatic together with route-based middleware for access control.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c
• https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c
• https://github.com/honojs/hono/releases/tag/v4.12.12
• https://nvd.nist.gov/vuln/detail/CVE-2026-39407
• https://github.com/advisories/GHSA-wmmm-f939-6g9c

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

CVE-2026-39409 / GHSA-xpcf-pg52-r92g

More information

Details

Summary

ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.

Details

The middleware classifies client addresses based on their textual form. Addresses containing ":" are treated as IPv6, including IPv4-mapped IPv6 addresses such as ::ffff:127.0.0.1. These addresses are not normalized to IPv4 before matching.

As a result:

• IPv4 static rules (e.g. 127.0.0.1) do not match because the raw string differs
• IPv4 CIDR rules (e.g. 127.0.0.0/8, 10.0.0.0/8) are skipped because the address is treated as IPv6

For example, with:

denyList: ['127.0.0.1']

a request from 127.0.0.1 may be represented as ::ffff:127.0.0.1 and bypass the deny rule.

This behavior commonly occurs in Node.js environments where IPv4 clients are exposed as IPv4-mapped IPv6 addresses.

Impact

Applications that rely on IPv4-based ipRestriction() rules may incorrectly allow or deny requests.

In affected deployments, a denied IPv4 client may bypass access restrictions. Conversely, legitimate clients may be rejected when using IPv4 allow lists.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-xpcf-pg52-r92g
• https://github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39
• https://github.com/honojs/hono/releases/tag/v4.12.12
• https://nvd.nist.gov/vuln/detail/CVE-2026-39409
• https://github.com/advisories/GHSA-xpcf-pg52-r92g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()

CVE-2026-39410 / GHSA-r5rp-j6wh-rvv4

More information

Details

Summary

A discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed.

Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones.

Details

Browsers follow RFC 6265bis and only trim SP (0x20) and HTAB (0x09) from cookie names. Other characters, such as the non-breaking space (U+00A0), are preserved as part of the cookie name.

For example, the browser treats the following cookies as distinct:

"dummy-cookie"
"\u00a0dummy-cookie"

However, parse() previously used JavaScript's trim(), which removes a broader set of characters including U+00A0. As a result, both names are normalized to:

"dummy-cookie"

This mismatch allows attacker-controlled cookies with a U+00A0 prefix to shadow or override legitimate cookies when accessed via getCookie().

Impact

An attacker who can set cookies (e.g., via a man-in-the-middle on a non-secure page or other injection vector) can bypass cookie prefix protections and override sensitive cookies.

This may lead to:

• Bypassing __Secure- and __Host- prefix protections
• Overriding cookies that rely on the Secure attribute
• Session fixation or session hijacking depending on application usage

This issue affects applications that rely on getCookie() for security-sensitive cookie handling.

Severity

• CVSS Score: 4.8 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4
• https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0
• https://github.com/honojs/hono/releases/tag/v4.12.12
• https://nvd.nist.gov/vuln/detail/CVE-2026-39410
• https://github.com/advisories/GHSA-r5rp-j6wh-rvv4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Hono missing validation of cookie name on write path in setCookie()

GHSA-26pp-8wgv-hjvm

More information

Details

Summary

Cookie names are not validated on the write path when using setCookie(), serialize(), or serializeSigned() to generate Set-Cookie headers.

While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters.

This results in inconsistent handling of cookie names between parsing (read path) and serialization (write path).

Details

When applications use setCookie(), serialize(), or serializeSigned() with a user-controlled cookie name, invalid values (e.g., containing control characters such as \r or \n) can be used to construct malformed Set-Cookie header values.

For example:

Set-Cookie: legit
X-Injected: evil=value

However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent.

As a result, the reported header injection / response splitting behavior could not be reproduced in these environments.

Impact

Applications that pass untrusted input as the cookie name to setCookie(), serialize(), or serializeSigned() may encounter runtime errors due to invalid header values.

In tested environments, malformed Set-Cookie headers are rejected before being sent, and the reported header injection behavior could not be reproduced.

This issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm
• https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec
• https://github.com/honojs/hono/releases/tag/v4.12.12
• https://github.com/advisories/GHSA-26pp-8wgv-hjvm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR

GHSA-458j-xx4x-4375

More information

Details

Summary

Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output.

When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries and inject unintended HTML.

Details

When rendering JSX elements to HTML strings, attribute values are escaped, but attribute names (keys) were previously inserted into the output without validation.

If an attribute name contains characters such as ", >, or whitespace, it can alter the structure of the generated HTML.

For example, malformed attribute names can:

• Break out of the current attribute and introduce unintended additional attributes
• Break out of the current HTML tag and inject new elements into the output

This issue arises when untrusted input (such as query parameters or form data) is used as JSX attribute keys during server-side rendering.

Impact

An attacker who can control attribute keys used in JSX rendering may inject unintended attributes or HTML elements into the generated output.

This may lead to:

• Injection of unexpected HTML attributes
• Corruption of the HTML structure
• Potential cross-site scripting (XSS) if combined with unsafe usage patterns

This issue affects applications that pass untrusted input as JSX attribute keys during server-side rendering.

Severity

• CVSS Score: 4.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

• https://github.com/honojs/hono/security/advisories/GHSA-458j-xx4x-4375
• https://github.com/advisories/GHSA-458j-xx4x-4375

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

honojs/hono (hono)

v4.12.14

Compare Source

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#​4883) fa2c74f

v4.12.13

Compare Source

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @​T4ko0522 in #​4865
• feat(trailing-slash): add skip option by @​yusukebe in #​4862
• feat(cache): add onCacheNotAvailable option by @​yusukebe in #​4876

New Contributors

• @​T4ko0522 made their first contribution in #​4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Compare Source

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11

Compare Source

What's Changed

• feat(css): add classNameSlug option to createCssContext by @​flow-pie in #​4834

New Contributors

• @​flow-pie made their first contribution in #​4834

Full Changelog: honojs/hono@v4.12.10...v4.12.11

v4.12.10

Compare Source

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in #​4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in #​4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in #​4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in #​4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in #​4851

New Contributors

• @​Abhi3975 made their first contribution in #​4843
• @​VISHNU7KASIREDDY made their first contribution in #​4851

Full Changelog: honojs/hono@v4.12.9...v4.12.10

v4.12.9

Compare Source

What's Changed

• fix(request): remove parseBody from bodyCache to prevent TypeError by @​yusukebe in #​4807
• feat(client): add PickResponseByStatusCode type by @​yusukebe in #​4791
• fix(ssg): pass SSG_CONTEXT to forGetInfoURLRequest by @​yuintei in #​4810
• fix(service-worker): make fire() fallback behavior consistent with handle() by @​yusukebe in #​4821
• fix(cors): reflect request origin when credentials is true with wildcard by @​ctonneslan in #​4813

New Contributors

• @​yuintei made their first contribution in #​4810
• @​ctonneslan made their first contribution in #​4813

Full Changelog: honojs/hono@v4.12.8...v4.12.9

v4.12.8

Compare Source

What's Changed

• fix(utils/mime): Normalize input extension to lowercase before MIME check by @​TheEssem in #​4800
• fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @​otoneko1102 in #​4750

New Contributors

• @​TheEssem made their first contribution in #​4800

Full Changelog: honojs/hono@v4.12.7...v4.12.8

v4.12.7

Compare Source

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

---

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

Compare Source

What's Changed

• fix(accept): replace regex split to mitigate ReDoS by @​EdamAme-x in #​4758
• fix(jsx): align link hoisting and dedupe with React 19 by @​usualoma in #​4792
• chore(builld): tsconfig project references by @​BarryThePenguin in #​4797
• chore: add tsconfig.spec.json by @​yusukebe in #​4798
• feat(jsx-renderer): support function-based options by @​3w36zj6 in #​4780
• fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @​t0waxx in #​4782

New Contributors

• @​t0waxx made their first contribution in #​4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

Compare Source

What's Changed

• fix(request): return string | undefined from param() when path type is any by @​andrewdamelio in #​4723
• fix(jwt): validate token format in decode and decodeHeader functions by @​otoneko1102 in #​4752
• fix(jsx): Fix "Invalid state: Controller is already closed" by @​gaearon in #​4770
• chore(eslint): upgrade @hono/eslint-config by [@​BarryThePenguin](https://redirect.githu

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2423ff1d-d567-455c-96a7-6ce03cff46e3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/npm-hono-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ErisDS]

🤖 Velo CI Failure Analysis

Classification: 🟠 SOFT FAIL

• Workflow: CICD
• Failed Step: Run Tests
• Run: View failed run
  What failed: TypeScript type error in route-registry.ts
  Why: The root cause of the failure is a TypeScript type error in the route-registry.ts file. This is a code issue, as the error is related to the application code and not the infrastructure.
  Action:
  The author should review the code in route-registry.ts and fix the type error to resolve the issue.

[ErisDS]

🤖 Velo CI Failure Analysis

Classification: 🟠 SOFT FAIL

• Workflow: CICD
• Failed Step: Run Tests
• Run: View failed run
  What failed: TypeScript type error in route-registry.ts
  Why: The final error in the logs indicates a TypeScript type error in the route-registry.ts file. This is a code issue that the author should fix, as it is a problem with the application code and not an infrastructure-related problem.
  Action:
  The author should review the type error in route-registry.ts and update the code to resolve the type mismatch. Once the code is fixed, the CI build should pass.

[ErisDS]

🤖 Velo CI Failure Analysis

Classification: 🟠 SOFT FAIL

• Workflow: CICD
• Failed Step: Run Tests
• Run: View failed run
  What failed: TypeScript type error in route-registry.ts
  Why: The root cause of the failure is a TypeScript type error in the route-registry.ts file. This is a code issue that the author should fix, as it is a problem with the application code and not an infrastructure-related problem.
  Action:
  The author should review the type error in route-registry.ts and update the code to resolve the type mismatch. Once the code is fixed, the CI build should pass.

[ErisDS]

🤖 Velo CI Failure Analysis

Classification: 🟠 SOFT FAIL

• Workflow: CICD
• Failed Step: Run Tests
• Run: View failed run
  What failed: TypeScript type error in route-registry.ts
  Why: The root cause of the failure is a TypeScript type error in the route-registry.ts file. This is a code issue, as the error is in the application code and not related to any infrastructure problems.
  Action:
  The developer should fix the type error in the route-registry.ts file to resolve the issue.

[ErisDS]

🤖 Velo CI Failure Analysis

Classification: 🟠 SOFT FAIL

• Workflow: CICD
• Failed Step: Run Tests
• Run: View failed run
  What failed: TypeScript type error in route-registry.ts
  Why: The root cause of the failure is a TypeScript type error in the route-registry.ts file. This is a code issue that the author should fix, as it is a problem with the application code and not an infrastructure-related problem.
  Action:
  The author should review the TypeScript error and update the code in route-registry.ts to resolve the type mismatch. Once the code is fixed, the CI/CD pipeline should pass.

[ErisDS]

🤖 Velo CI Failure Analysis

Classification: 🟠 SOFT FAIL

• Workflow: CICD
• Failed Step: Run Tests
• Run: View failed run
  What failed: TypeScript compilation error in route-registry.ts
  Why: The root cause of the failure is a TypeScript compilation error in the file 'route-registry.ts'. This is a code issue, as the error is related to the application code and not the infrastructure.
  Action:
  The developer should review the TypeScript error and update the code to resolve the issue. Once the code is fixed, the CI/CD pipeline should pass the tests.

[ErisDS]

🤖 Velo CI Failure Analysis

Classification: 🟠 SOFT FAIL

• Workflow: CICD
• Failed Step: Run Tests
• Run: View failed run
  What failed: TypeScript type error in route-registry.ts
  Why: The root cause of the failure is a TypeScript type error in the route-registry.ts file. This is a code issue that the author should fix, as it is a problem with the application code and not an infrastructure-related problem.
  Action:
  The author should review the TypeScript error and update the code in route-registry.ts to resolve the type mismatch. Once the code is fixed, the CI/CD pipeline should pass.

[ErisDS]

🤖 Velo CI Failure Analysis

Classification: 🟠 SOFT FAIL

• Workflow: CICD
• Failed Step: Run Tests
• Run: View failed run
  What failed: TypeScript type errors
  Why: The failure is caused by a code issue that needs to be fixed in this PR.
  Action:
  Check the error message and fix the issue in your code.

[ErisDS]

🤖 Velo CI Failure Analysis

Classification: 🟠 SOFT FAIL

• Workflow: CICD
• Failed Step: Run Tests
• Run: View failed run
  What failed: TypeScript type errors
  Why: The failure is caused by a code issue that needs to be fixed in this PR.
  Action:
  Check the error message and fix the issue in your code.

[sagzy]

@CodeRabbit review pls

[Copilot]

Pull request overview

Updates the project’s Hono web framework dependency to a newer minor release, keeping the server stack current while staying on the same major version.

Changes:

• Bumped hono from 4.10.7 to 4.12.7 in package.json.
• Updated yarn.lock to reflect the new resolved Hono tarball and integrity hash.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Updates the pinned hono dependency version to 4.12.7.
yarn.lock	Locks hono@4.12.7 with updated resolution/integrity metadata.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find route-registry.ts
fd route-registry.ts

# Find all JWT/JWK middleware usages
echo "=== JWT/JWK usage ==="
rg -n "hono/jwt|hono/jwk|from 'hono'" --type ts -A2 -B2

# Find any hono jwt imports
echo "=== JWT imports ==="
rg -n "jwt|jwk" --type ts -C3

Length of output: 12866

---

🏁 Script executed:

#!/bin/bash
echo "=== route-registry.ts full content ==="
cat src/http/routing/route-registry.ts

echo ""
echo "=== package.json hono version ==="
grep -n "hono" package.json

echo ""
echo "=== Check for MiddlewareHandler usage ==="
rg -n "MiddlewareHandler" --type ts -C3

Length of output: 9073

---

🏁 Script executed:

#!/bin/bash
echo "=== app.ts relevant type definitions ==="
rg -n "AppContext|HonoContextVariables" src/app.ts -A5 -B2

echo ""
echo "=== Check hono MiddlewareHandler type definition ==="
fd "types.ts" node_modules/hono/dist --exec cat {}

echo ""
echo "=== Check hono index types ==="
cat node_modules/hono/dist/types.d.ts 2>/dev/null || echo "File not found"

echo ""
echo "=== Check hono package types entry ==="
cat node_modules/hono/package.json | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('types',''), d.get('typings',''), d.get('exports',{}).get('.', {}))"

echo ""
echo "=== MiddlewareHandler type ==="
rg -n "MiddlewareHandler" node_modules/hono/dist/types.d.ts 2>/dev/null || \
rg -rn "MiddlewareHandler" node_modules/hono/dist/ --type ts | head -30

Length of output: 4327

---

🌐 Web query:

hono MiddlewareHandler type change breaking 4.11 4.12 TypeScript

💡 Result:

In Hono v4.12.x (specifically v4.12.3, released Feb 26, 2026), the breaking TypeScript change wasn’t the MiddlewareHandler alias signature itself (it’s effectively the same as 4.11.x), but the route handler overload typings: Hono stopped treating intermediate middlewares as any-input and instead threads the route “Input” type (I) through middleware positions. This makes middleware typing stricter and can surface new TS errors when upgrading from 4.11 → 4.12. [1][2]

What changed (conceptually)

• Before: in handler overloads, middleware slots were effectively typed like H<..., any> (so input from validators/preceding middleware could be lost / treated as any).
• After (4.12.3+): middleware slots are typed like H<..., I> (preserving/propagating the inferred Input type across the chain), fixing issues such as c.req.valid() being incorrectly typed in non-last handlers. [1]

How to fix your code

• If you explicitly annotate middleware as MiddlewareHandler (especially with a too-narrow/incorrect I), remove the annotation and let Hono infer it, or
• Use createMiddleware() / createFactory() from hono/factory to preserve inference when exporting/creating middleware functions dynamically, or
• If you must annotate, make the middleware’s I generic/wide enough (e.g. MiddlewareHandler<E, P, any> / MiddlewareHandler<E, P, Input>), so it can accept the route’s inferred input.

Sources: Hono release notes mention “fix(types): correct middleware types” in v4.12.3 [2], and PR #4774 explains it was fixing middleware typing that incorrectly used any for middleware input instead of passing through the proper In/Input type. [1]

---

🌐 Web query:

hono "fix(types): correct middleware types" 4.12.3 MiddlewareHandler change

💡 Result:

In Hono v4.12.3 (Feb 26, 2026) the change titled “fix(types): correct middleware types” (PR #4774) adjusts the route-method overloads so that middleware no longer erases the route’s input type (I) to any when multiple handlers are provided. This fixes cases where adding a middleware (notably validator(...)) caused later (or non-last) handlers to lose the inferred input type, making things like c.req.valid('query') incorrectly fail to type-check. [1][2][3]

What effectively changed (type-level)

• Previously, the generic constraints for “middleware slots” in handler chains were typed like H<..., any>, so middleware would “reset” the input typing to any.
• In v4.12.3, those middleware generics were changed to pass through the correct I / I2 / I3 etc., so the input type is preserved across the whole chain. [2][3]

Impact you might see

• Stricter (more correct) TypeScript errors if you had middleware typed too loosely/incorrectly (it may have “worked” before because any masked the mismatch).
• If you author reusable middleware, you may need to parameterize it with the proper I extends Input (or use createMiddleware()), so it composes with validated inputs cleanly. [2][3]

Sources:
[1] Hono v4.12.3 release notes (includes “fix(types): correct middleware types”) (github.com)
[2] PR #4774 conversation (explains prior any usage in middleware typing and the fix) (github.com)
[3] PR #4774 diff (shows middleware generics changing from any to I/I2 in handler overloads) (github.com)

Citations:

• 1: https://github.com/honojs/hono/releases
• 2: fix(types): correct middleware types honojs/hono#4774
• 3: https://github.com/honojs/hono/pull/4774/files

---

@sagzy: The CI failures are all caused by a real, breaking TypeScript type change introduced in hono v4.12.3. Here's what changed and how to fix it.

---

Root Cause

In hono v4.12.3 (PR #4774), middleware generics in handler overloads were changed from using any for the Input type I to properly threading I through the chain. This makes TypeScript stricter: middleware that was previously passing silently (because any masked mismatches) now surfaces type errors.

The problem in src/http/routing/route-registry.ts is in buildMiddleware(). Inline middleware functions are explicitly annotated as (ctx: AppContext, next: Next) and pushed into a MiddlewareHandler<{ Variables: HonoContextVariables }>[] array, which then gets spread into app[method](route.path, ...middleware). Under hono 4.12.3+'s stricter generics, TypeScript can no longer verify the Input type I alignment when spreading an explicitly-typed array.

---

Fix

The recommended fix is to use createMiddleware() from hono/factory instead of manually annotating inline middleware with ctx: AppContext. This preserves type inference and eliminates the explicit annotation causing the conflict.

import 'reflect-metadata';

import * as Sentry from '@sentry/node';
import type { AwilixContainer } from 'awilix';
-import type { Hono, MiddlewareHandler, Next } from 'hono';
+import type { Hono, MiddlewareHandler, Next } from 'hono';
+import { createMiddleware } from 'hono/factory';

import type { AppContext, HonoContextVariables } from '@/app';

Then in buildMiddleware(), replace the inline (ctx: AppContext, next: Next) annotations with createMiddleware:

    private buildMiddleware(
        route: RouteRegistration,
        container: AwilixContainer,
    ): MiddlewareHandler<{ Variables: HonoContextVariables }>[] {
        const middleware: MiddlewareHandler<{
            Variables: HonoContextVariables;
        }>[] = [];

        if (route.versions && route.versions.length > 0) {
-           middleware.push(async (ctx: AppContext, next: Next) => {
+           middleware.push(createMiddleware<{ Variables: HonoContextVariables }>(async (ctx, next) => {
                const requestVersion = ctx.req.param('version');
                if (!route.versions) {
                    throw new Error('RouteRegistration was modified');
                }

                if (!route.versions.includes(requestVersion)) {
                    return ctx.json(
                        {
                            message: `Version ${requestVersion} is not supported.`,
                            code: 'INVALID_VERSION',
                            requestedVersion: requestVersion,
                            supportedVersions: route.versions,
                        },
                        410,
                    );
                }
                return await next();
-           });
+           }));
        }

        // ...

-       middleware.push((ctx: AppContext, next: Next) => {
+       middleware.push(createMiddleware<{ Variables: HonoContextVariables }>((ctx, next) => {
            const controller = container.resolve(route.controllerToken);
            return Sentry.startSpan(
                {
                    op: 'controller.handle',
                    name: `${controller.constructor.name}.${route.methodName}`,
                },
                () => controller[route.methodName](ctx, next),
            );
-       });
+       }));

        return middleware;
    }

This is the minimal, idiomatic fix — createMiddleware handles the type parameter threading that hono 4.12.3 now enforces, avoiding any need for explicit ctx: AppContext annotations in the handler bodies.