CVE-2026-44459

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.18

Description Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This occurs because the validation routine combined option, presence, and threshold checks in a single short-circuiting expression, causing malformed values—such as falsy numeric values, non-finite numeric values, or non-numeric types—to be skipped instead of rejected. This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value. The issue manifests when a malformed claim value reaches the verify() function, typically when the application issues such tokens or the signing key is under attacker control. This can result in tokens being treated as never expiring, tokens with a future nbf (Not Before) being accepted as valid, or tokens with a future iat (Issued At) being accepted as legitimately issued.

Recommendations Update to version 4.12.18.