CVE-2026-44459
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
Description
### Summary Improper validation of the JWT NumericDate claims `exp`, `nbf`, and `iat` in `hono/utils/jwt` allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches `verify()` — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. ### Details The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected: - A falsy numeric value short-circuited the presence check. - A non-finite numeric value compared as never-after-now and never-expired. - A non-numeric type produced NaN comparisons that evaluated false. This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value. ### Impact An actor able to issue tokens accepted by the application may craft tokens whose `exp`, `nbf`, or `iat` claims silently bypass time-based enforcement. This may lead to: - Tokens treated as never expiring even with `exp` configured on the verifier. - Tokens with a future `nbf` accepted as currently valid. - Tokens with a future `iat` accepted as legitimately issued. Deployments using a well-formed token issuer and protecting the signing key are not affected.
How to fix CVE-2026-44459
To remediate CVE-2026-44459, upgrade the affected package to a fixed version below.
- —upgrade to 4.12.18 or later
Is CVE-2026-44459 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.12.18