CVE-2025-62610

Name of the Vulnerable Software and Affected Versions Hono versions 1.1.0 through 4.10.1

Description Hono’s JWT authentication middleware lacked built-in verification of the aud (Audience) claim. This could lead to confused-deputy or token-mix-up issues, where an API might accept a valid token intended for a different service, especially when multiple services share the same issuer and keys. RFC 7519 requires that tokens with an aud claim be rejected unless the processing party is identified within that claim. The issue stems from the absence of an aud option in the middleware’s verification options, which include iss, nbf, iat, and exp. This could result in cross-service access and boundary erosion, potentially allowing unauthorized access to sensitive endpoints. The issue is particularly relevant in deployments with a single Identity Provider (IdP) and shared keys across multiple services.

Recommendations Update to Hono version 4.10.2 or later. Enable RFC 7519–compliant audience validation by adding the verification.aud option to the JWT middleware configuration. For example:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
 '/api/*',
 jwt({
  secret: 'my-secret',
  verification: {
   aud: 'service-a',
  },
 })
)