CVE-2025-62610HIGH 8.1EPSS p22.8%

CVE-2025-62610CVE-2025-62610

Description

Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. This issue has been patched in version 4.10.2.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS0.31% probability of exploitation · percentile 22.8% · 2026-06-18T12:00:27Z
Published2025-10-22
Last modified2026-02-04

Underlying weaknesses· 1

CWE-285

References

  1. https://github.com/honojs/hono/commit/45ba3bf9e3dff8e4bd85d6b47d4b71c8d6c66bef
  2. https://github.com/honojs/hono/security/advisories/GHSA-m732-5p4w-x69g

1

TypeTargetConfidenceTier
WeaknessImproper Authorizationcwe-2850%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-29045
CVE
CVE-2025-51606
CVE
CVE-2026-33746
CVE
CVE-2025-9803
CVE
CVE-2026-42280
CVE
CVE-2026-48526
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.