Vulnerability Description
Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. This issue has been patched in version 4.10.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hono | Hono | >= 1.1.0, < 4.10.2 |
Related Weaknesses (CWE)
References
- https://github.com/honojs/hono/commit/45ba3bf9e3dff8e4bd85d6b47d4b71c8d6c66befPatch
- https://github.com/honojs/hono/security/advisories/GHSA-m732-5p4w-x69gExploitMitigationVendor Advisory
FAQ
What is CVE-2025-62610?
CVE-2025-62610 is a vulnerability with a CVSS score of 8.1 (HIGH). Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) ver...
How severe is CVE-2025-62610?
CVE-2025-62610 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-62610?
Check the references section above for vendor advisories and patch information. Affected products include: Hono Hono.