PT-2026-39329 · Npm · Hono
Published
2026-05-09
·
Updated
2026-05-09
·
CVE-2026-44459
CVSS v3.1
3.8
Low
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N |
Summary
Improper validation of the JWT NumericDate claims
exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.Details
The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:
- A falsy numeric value short-circuited the presence check.
- A non-finite numeric value compared as never-after-now and never-expired.
- A non-numeric type produced NaN comparisons that evaluated false.
This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.
Impact
An actor able to issue tokens accepted by the application may craft tokens whose
exp, nbf, or iat claims silently bypass time-based enforcement. This may lead to:- Tokens treated as never expiring even with
expconfigured on the verifier. - Tokens with a future
nbfaccepted as currently valid. - Tokens with a future
iataccepted as legitimately issued.
Deployments using a well-formed token issuer and protecting the signing key are not affected.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hono