hono is vulnerable to Cross-Site Scripting (XSS)
61
Medium Risk
The cx() utility in hono/css composes class names from plain strings but marks the result as already-escaped without HTML-escaping the input. When the composed value is used as a JSX class attribute during server-side rendering, the normal attribute escaping is skipped, so characters such as " pass through unescaped. Untrusted input passed as a class name can break out of the class attribute and inject arbitrary markup, resulting in server-side Cross-Site Scripting. The fix escapes the composed class name before it is emitted into the attribute.
You are affected if you are using a version that falls within the vulnerable range and your application renders JSX server-side and passes untrusted input as a class name to cx() from hono/css.
hono is vulnerable to Cross-Site Scripting (XSS) in versions 4.0.0 - 4.12.26.
Upgrade the hono library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant