Download Latest Version
v4.12.12 source code.tar.gz (1.7 MB)
Get an email when there's a new version of Hono
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-04-07 | 1.7 kB | |
| v4.12.12 source code.tar.gz | 2026-04-07 | 1.7 MB | |
| v4.12.12 source code.zip | 2026-04-07 | 1.8 MB | |
| Totals: 3 Items | 3.5 MB | 0 | |
Security fixes
This release includes fixes for the following security issues:
Middleware bypass via repeated slashes in serveStatic
Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c
Path traversal in toSSG() allows writing files outside the output directory
Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx
Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g
Missing validation of cookie name on write path in setCookie()
Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm
Non-breaking space prefix bypass in cookie name handling in getCookie()
Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4
Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.
