Intel

AIKIDO-2026-724213

hono is vulnerable to Race Condition

Race ConditionGHSA-hvrm-45r6-mjfj Published Jun 24, 2026

65

Medium Risk

This Affects:

JShono
4.11.8 - 4.12.26
Fixed in 4.12.27
Are you affected? Scan for Free

TL;DR

During server-side rendering, hono/jsx stored context values in a process-wide structure instead of scoping them per request. When an async component reads context after an await while requests render concurrently, useContext() and useRequestContext() could observe another in-flight request's value. This can render a response with another user's context or evaluate an authorization check against the wrong request, leaking request-scoped data across requests. The fix isolates context per render so the provided value is preserved until the render's Promise resolves.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses hono/jsx or hono/jsx-renderer server-side rendering that reads context after an await in an async component.

Background info

hono is vulnerable to Race Condition in versions 4.11.8 - 4.12.26.

How to fix this

Upgrade the hono library to the patch version.