{"id":72158,"date":"2025-10-22T23:45:38","date_gmt":"2025-10-22T20:15:38","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-62610-hono-improperly-authorizes-jwt-audience-validation\/"},"modified":"2025-10-22T23:45:38","modified_gmt":"2025-10-22T20:15:38","slug":"cve-2025-62610-hono-improperly-authorizes-jwt-audience-validation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-62610-hono-improperly-authorizes-jwt-audience-validation\/","title":{"rendered":"CVE-2025-62610 &#8211; Hono Improperly Authorizes JWT Audience Validation"},"content":{"rendered":"<p>CVE ID : CVE-2025-62610<\/p>\n<p>Published :  Oct. 22, 2025, 8:15 p.m. | 27\u00a0minutes ago<\/p>\n<p>Description : Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono\u2019s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy \/ token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer\/keys. This can lead to unintended cross-service access. Hono\u2019s docs list verification options for iss\/nbf\/iat\/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. This issue has been patched in version 4.10.2.<\/p>\n<p>Severity: 8.1 | HIGH<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-62610 Published : Oct. 22, 2025, 8:15 p.m. | 27\u00a0minutes ago Description : Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono\u2019s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy \/ token-mix-up &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-72158","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/72158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=72158"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/72158\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=72158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=72158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=72158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}