github honojs/hono v4.11.4
on GitHub

14 hours ago

Security

Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware.

Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values.

If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible.

JWT middleware

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    alg: 'HS256', // required
  })
)

JWK/JWKS middleware

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    alg: ['RS256'], // required (asymmetric algorithms only)
  })
)

For more details, see the Security Advisory.

What's Changed

  • test(utils/jwt): add missing algorithm types in jwa.test.ts by @flathill404 in #4607
  • chore: bump @hono/eslint-config and enable curly rule by @yusukebe in #4620
  • docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by @Itsnotaka in #4618
  • test: support alg option for JWT middleware by @yusukebe in #4624

New Contributors

Full Changelog: v4.11.3...v4.11.4

Check out latest releases or
releases around honojs/hono v4.11.4

Don't miss a new hono release

NewReleases is sending notifications on new releases.

Get notifications