Hono Improper JWT Claim Validation Vulnerability Bypasses Time-Based Checks

A vulnerability exists in the Hono web application framework, prior to version 4.12.18, due to improper validation of JWT NumericDate claims 'exp', 'nbf', and 'iat' in the 'hono/utils/jwt' module. This flaw allows tokens with non-compliant claim values to silently bypass time-based validations. The issue arises when a malformed claim value is processed by the 'verify()' function, typically when the application issues such tokens or when the signing key is compromised. As a result, tokens may be accepted as valid even when they should have been rejected, potentially leading to unauthorized access or actions.

Impact

This vulnerability allows an actor with the ability to issue tokens accepted by the application to create tokens that bypass time-based enforcement on the 'exp', 'nbf', or 'iat' claims. Consequently, this could result in tokens being accepted as valid indefinitely, tokens with a future 'nbf' being wrongly considered current, or tokens with a future 'iat' being accepted as legitimately issued.

Remediation

Users should update to Hono version 4.12.18 or later, where this vulnerability has been fixed.