Hono JWT Audience Validation Vulnerability Allowing Cross-Service Access

A vulnerability exists in Hono's JWT authentication middleware in versions 1.1.0 prior to 4.10.2, where the 'aud' (Audience) claim is not validated by default. This omission can lead to 'confused-deputy' issues, allowing an API to accept tokens intended for different audiences, potentially causing unauthorized access to services. The lack of audience verification can be exploited in scenarios where multiple services share the same issuer and keys, such as with Google Identity tokens.

Impact

This vulnerability creates an authentication and authorization weakness by allowing tokens from one service to be accepted by another, leading to unintended cross-service access and the mixing of different types of tokens or audiences.

Reproduction

To reproduce this vulnerability, use Hono's JWT middleware without specifying the 'aud' option. Obtain a valid JWT for one audience (e.g., through 'Sign in with Google') and use it to access an API that does not verify the 'aud' claim, thereby gaining unauthorized access.

Remediation

Update to Hono version 4.10.2 or later, and configure the JWT middleware to validate the 'aud' claim according to RFC 7519 requirements.