CVE-2026-59896
Received Received - Intake

Hono JSX Context Isolation Bypass in Server-Side Rendering

Vulnerability report for CVE-2026-59896, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight request to be used after an await in an async component. This issue is fixed in version 4.12.27.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
honojs hono to 4.12.27 (exc)
honojs hono 4.12.27

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in hono/jsx allowed context values to leak across concurrent server-side rendering requests, potentially exposing sensitive data from one user to another.

Such cross-request data disclosure can lead to unauthorized access to personal or sensitive information, which may violate data protection requirements under standards like GDPR and HIPAA.

Incorrect authorization checks caused by context leakage could further increase the risk of unauthorized data exposure or modification.

Therefore, this vulnerability could negatively impact compliance with regulations that mandate strict data isolation, confidentiality, and access controls.

Upgrading to version 4.12.27, which fixes the issue by isolating context per request, is necessary to mitigate these compliance risks.

Executive Summary

The vulnerability in Hono's hono/jsx and hono/jsx-renderer components occurs because context values are stored process-wide instead of being isolated per request during server-side rendering (SSR). This means that when asynchronous components use context-related functions like createContext, useContext, jsxRenderer, or useRequestContext, context data from one in-flight request can be accessed by another concurrent request after an await in an async component.

This flaw allows cross-request data leakage and can cause incorrect authorization checks because the context is not properly isolated between requests. The issue specifically affects versions from 4.11.8 up to before 4.12.27 and was fixed in version 4.12.27 by isolating context per request using mechanisms like AsyncLocalStorage.

Impact Analysis

This vulnerability can lead to sensitive data leakage between concurrent users of the application. For example, a user might receive HTML content or context data intended for another user, exposing private information.

It can also cause incorrect authorization checks, potentially allowing unauthorized access or actions because the context used to determine permissions may be mixed up between requests.

Overall, this can compromise data confidentiality and integrity in applications using the affected versions of Hono's server-side rendering framework.

Detection Guidance

This vulnerability involves context values leaking across concurrent server-side rendering requests in the Hono framework versions 4.11.8 to before 4.12.27. Detection involves identifying if your system is running an affected version of hono/jsx or hono/jsx-renderer and if async components use context after await statements.

Since the issue is related to server-side rendering context leakage, direct network detection commands are not straightforward. Instead, detection should focus on verifying the version of the Hono framework in use and reviewing application logs or behavior for signs of cross-request data leakage or incorrect authorization.

Suggested commands to check the installed version of Hono (or hono/jsx) in your project environment include:

  • npm list hono
  • npm list hono/jsx

Additionally, you can search your codebase for usage of createContext, useContext, jsxRenderer, or useRequestContext in async components that use await, to identify potential vulnerable code patterns.

Mitigation Strategies

The primary mitigation step is to upgrade the Hono framework and its related components (hono/jsx, hono/jsx-renderer) to version 4.12.27 or later, where this vulnerability has been fixed.

This update isolates context values per request during server-side rendering, preventing cross-request data leakage and incorrect authorization checks.

If upgrading immediately is not possible, review your application code to avoid using createContext, useContext, jsxRenderer, or useRequestContext after await in async components during server-side rendering, as this is the vulnerable pattern.

Monitor your application for any signs of data leakage or authorization anomalies and consider implementing additional logging around context usage in SSR components.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59896. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart