New
v4.11.4
Security
Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware.
Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values.
If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible.
JWT middleware
import { jwt } from 'hono/jwt'
app.use(
'/auth/*',
jwt({
secret: 'it-is-very-secret',
alg: 'HS256', // required
})
)
JWK/JWKS middleware
import { jwk } from 'hono/jwk'
app.use(
'/auth/*',
jwk({
jwks_uri: 'https://example.com/.well-known/jwks.json',
alg: ['RS256'], // required (asymmetric algorithms only)
})
)
For more details, see the Security Advisory.
- https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4
- https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4
What's Changed
- test(utils/jwt): add missing algorithm types in jwa.test.ts by @flathill404 in https://github.com/honojs/hono/pull/4607
- chore: bump
@hono/eslint-configand enable curly rule by @yusukebe in https://github.com/honojs/hono/pull/4620 - docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by @Itsnotaka in https://github.com/honojs/hono/pull/4618
- test: support
algoption for JWT middleware by @yusukebe in https://github.com/honojs/hono/pull/4624
New Contributors
- @flathill404 made their first contribution in https://github.com/honojs/hono/pull/4607
- @Itsnotaka made their first contribution in https://github.com/honojs/hono/pull/4618
Full Changelog: https://github.com/honojs/hono/compare/v4.11.3...v4.11.4