CVE-2025-62610
BaseFortify
Publication date: 2025-10-22
Last updated on: 2026-02-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hono | hono | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62610 is a vulnerability in the Hono web application framework's JWT authentication middleware where it does not validate the 'aud' (Audience) claim in JWT tokens by default. This means that a token issued for one service could be accepted by another service if they share the same issuer and keys, leading to token mix-up or confused-deputy problems. This violates RFC 7519 requirements, which state that tokens with an 'aud' claim must be rejected unless the processing party identifies itself in that claim. The issue allows unauthorized cross-service access and was fixed in version 4.10.2 by adding an option to enforce audience validation. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized cross-service access where an attacker could use a valid token issued for one service to access another service that shares the same issuer and keys. This can result in high confidentiality and integrity loss, as sensitive data or operations might be accessed or manipulated by unauthorized parties. The vulnerability has a high severity score (CVSS 8.1) and can be exploited remotely without privileges or user interaction. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting JWT tokens used in your system to check if the 'aud' (Audience) claim is present and whether it is being validated properly by your Hono JWT Auth Middleware. Since versions before 4.10.2 do not validate the 'aud' claim, you can detect vulnerable systems by verifying the middleware version and reviewing JWT validation logic. There are no specific network commands provided, but you can analyze JWT tokens using tools like 'jwt-cli' or 'jq' to decode tokens and check the 'aud' claim. For example, you can decode a JWT token with a command like: `echo <token> | cut -d '.' -f2 | base64 -d | jq '.'` to inspect the claims, including 'aud'. Additionally, checking the version of the Hono package in your project dependencies can help identify if the vulnerable version is in use. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the Hono package to version 4.10.2 or later, where the JWT Auth Middleware includes built-in support for audience ('aud') claim verification. After upgrading, configure the middleware to enforce audience validation by specifying the expected audience value(s) in the 'verification.aud' option. For example, update your middleware setup as follows: ```javascript import { Hono } from 'hono' import { jwt } from 'hono/jwt' const app = new Hono() app.use('/api/*', jwt({ secret: 'my-secret', verification: { aud: 'service-a' // enforce audience claim to be 'service-a' } })) ``` This ensures tokens with mismatched 'aud' claims are rejected, preventing unauthorized cross-service access. If you use external identity providers with JWK/JWKS, ensure equivalent audience validation is implemented in those middleware flows as well. [1]