GHSA-hm8q-7f3q-5f36

Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.

Details

The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:

A falsy numeric value short-circuited the presence check.
A non-finite numeric value compared as never-after-now and never-expired.
A non-numeric type produced NaN comparisons that evaluated false.

This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.

Impact

An actor able to issue tokens accepted by the application may craft tokens whose exp, nbf, or iat claims silently bypass time-based enforcement. This may lead to:

Tokens treated as never expiring even with exp configured on the verifier.
Tokens with a future nbf accepted as currently valid.
Tokens with a future iat accepted as legitimately issued.

Deployments using a well-formed token issuer and protecting the signing key are not affected.

Database specific

{
    "nvd_published_at": "2026-05-13T16:16:57Z",
    "github_reviewed": true,
    "severity": "LOW",
    "cwe_ids": [
        "CWE-1284"
    ],
    "github_reviewed_at": "2026-05-09T00:45:19Z"
}

References

Affected packages

npm / hono

Package

Name: hono; View open source insights on deps.dev
Purl: pkg:npm/hono

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.12.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hm8q-7f3q-5f36/GHSA-hm8q-7f3q-5f36.json"