CVE-2025-62610

Name of the Vulnerable Software and Affected Versions Hono versions 1.1.0 through 4.10.1

Description Hono’s JWT authentication middleware lacked built-in verification of the

aud

(Audience) claim. This could lead to confused-deputy or token-mix-up issues, where an API might accept a valid token intended for a different service, especially when multiple services share the same issuer and keys. RFC 7519 requires that tokens with an

aud

claim be rejected unless the processing party is identified within that claim. The issue stems from the absence of an

aud

option in the middleware’s verification options, which include

iss

,

nbf

,

iat

, and

exp

. This could result in cross-service access and boundary erosion, potentially allowing unauthorized access to sensitive endpoints. The issue is particularly relevant in deployments with a single Identity Provider (IdP) and shared keys across multiple services.

Recommendations Update to Hono version 4.10.2 or later. Enable RFC 7519–compliant audience validation by adding the

verification.aud

option to the JWT middleware configuration. For example:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
 '/api/*',
 jwt({
  secret: 'my-secret',
  verification: {
   aud: 'service-a',
  },
 })
)