hono is vulnerable to Race Condition
65
Medium Risk
During server-side rendering, hono/jsx stored context values in a process-wide structure instead of scoping them per request. When an async component reads context after an await while requests render concurrently, useContext() and useRequestContext() could observe another in-flight request's value. This can render a response with another user's context or evaluate an authorization check against the wrong request, leaking request-scoped data across requests. The fix isolates context per render so the provided value is preserved until the render's Promise resolves.
You are affected if you are using a version that falls within the vulnerable range and your application uses hono/jsx or hono/jsx-renderer server-side rendering that reads context after an await in an async component.
hono is vulnerable to Race Condition in versions 4.11.8 - 4.12.26.
Upgrade the hono library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant