8.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-m732-5p4w-x69g

EPSS Score

CWE

CWE-285

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-m732-5p4w-x69g

GHSA-m732-5p4w-x69g: Hono Improper Authorization vulnerability

Improper Authorization in Hono (JWT Audience Validation)

Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up).

The issue is addressed by adding a new verification.aud configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification.

Recommended secure configuration

You can enable RFC 7519–compliant audience validation using the new verification.aud option:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
  '/api/*',
  jwt({
    secret: 'my-secret',
    verification: {
      // Require this API to only accept tokens with aud = 'service-a'
      aud: 'service-a',
    },
  })
)

Below is the original description by the reporter. For security reasons, it does not include PoC reproduction steps, as the vulnerability can be clearly understood from the technical description.

The original description by the reporter

Summary

Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim.

Note: This problem likely exists in the JWK/JWKS-based middleware as well (e.g., jwk / verifyWithJwks)

Details

The middleware’s verifyOptions enumerate only iss, nbf, iat, and exp; there is no aud option. The same omission appears in the JWT Helper’s “Payload Validation” list. Developers relying on the middleware for complete standards-aligned validation therefore won’t check audience by default.
Standards requirement: RFC 7519 §4.1.3 states that each principal intended to process the JWT MUST identify itself with a value in the aud claim; if it does not, the JWT MUST be rejected (when aud is present). Lack of a first-class aud check increases the risk that tokens issued for Service B are accepted by Service A.
Real-world effect: In deployments with a single IdP/JWKS and shared keys across multiple services, a token minted for one audience can be mistakenly accepted by another audience unless developers implement a custom audience check.
- For example, with Google Identity (OIDC), iss is always https://accounts.google.com (shared across apps), but aud differs per application because it is that app’s OAuth client ID; therefore, an attacker can host a separate service that supports “Sign in with Google,” obtain a valid ID token (JWT) for the victim user, and—if your API does not verify aud—use that token to access your API with the victim’s privileges.

Impact

Type: Authentication/authorization weakness via token mix-up (confused-deputy).

Who is impacted: Any Hono user who:

shares an issuer/keys across multiple services (common with a single IdP/JWKS)
distinguishes tokens by intended recipient using aud.

What can happen:

Cross-service access: A token for Service B may be accepted by Service A.
Boundary erosion: ID tokens and access tokens, or separate API audiences, can be inadvertently intermixed.
- This may causes unauthorized invocation of sensitive endpoints.

Recommended remediation:

Add verifyOptions.aud (string | string[] | RegExp) to the middleware and enforce RFC 7519 semantics: In verify method, if aud is present and does not match with specified audiences, reject.
Ensure equivalent aud handling exists in the JWK/JWKS flow (jwk middleware / verifyWithJwks) so users of external IdPs can enforce audience consistently.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-m732-5p4w-x69g

EPSS Score

CWE

CWE-285

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hono	npm	>= 1.1.0, < 4.10.2	4.10.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in Hono's JWT middleware, which failed to validate the 'aud' (Audience) claim in JWTs by default. This violates RFC 7519 and creates a confused-deputy vulnerability. An attacker could use a valid token issued for a different service to gain unauthorized access to a Hono application if both services share the same token issuer.

The analysis of the patch commit 45ba3bf9e3dff8e4bd85d6b47d4b71c8d6c66bef reveals that the core of the vulnerability was in the verify function located in src/utils/jwt/jwt.ts. This function is central to JWT validation in Hono. Before the patch, it checked claims like exp and iat but completely ignored the aud claim. The patch rectifies this by adding explicit logic to validate the token's aud claim against the audience specified in the verification options.

The vulnerability also affected the verifyWithJwks function, as it is a wrapper around the verify function. Although verifyWithJwks was not directly modified, the fix in verify ensures that any call to verifyWithJwks will now correctly perform audience validation. Therefore, both verify and verifyWithJwks are identified as the key functions that would appear in a runtime profile during the exploitation of this vulnerability.

Vulnerable functions

verify

src/utils/jwt/jwt.ts

The `verify` function is responsible for JWT validation. Prior to the patch, it did not validate the `aud` (audience) claim of the token. This omission allowed a valid token intended for a different service or audience to be accepted, leading to an improper authorization vulnerability. The patch introduces logic to check the `aud` claim against the expected audience provided in the verification options.

verifyWithJwks

src/utils/jwt/jwt.ts

The `verifyWithJwks` function retrieves a key from a JWKS and then uses the `verify` function to perform the actual token validation. Because it relied on the vulnerable `verify` function which lacked the audience check, `verifyWithJwks` was also susceptible to the same token mix-up vulnerability. The fix applied to `verify` transitively secures `verifyWithJwks`.

WAF Protection Rules

WAF Rule

### Improp*r *ut*oriz*tion in *ono (JWT *u*i*n** V*li**tion) *ono’s JWT *ut**nti**tion mi**l*w*r* *i* not v*li**t* t** `*u*` (*u*i*n**) *l*im *y ****ult. *s * r*sult, *ppli**tions usin* t** mi**l*w*r* wit*out *n *xpli*it *u*i*n** ****k *oul* ****pt

Reasoning

T** vuln*r**ility li*s in *ono's JWT mi**l*w*r*, w*i** **il** to v*li**t* t** '*u*' (*u*i*n**) *l*im in JWTs *y ****ult. T*is viol*t*s R** **** *n* *r**t*s * *on*us**-**puty vuln*r**ility. *n *tt**k*r *oul* us* * v*li* tok*n issu** *or * *i***r*nt s*

8.1

Basic Information

Concerned about an active attack path?

GHSA-m732-5p4w-x69g: Hono Improper Authorization vulnerability

Improper Authorization in Hono (JWT Audience Validation)

Recommended secure configuration

The original description by the reporter

Summary

Details

Impact

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI