DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22817: Identity Theft on the Edge: Exploiting JWT Algorithm Confusion in Hono

#security #cve #cybersecurity

Identity Theft on the Edge: Exploiting JWT Algorithm Confusion in Hono

Vulnerability ID: CVE-2026-22817
CVSS Score: 8.2
Published: 2026-01-13

A critical authentication bypass vulnerability in the Hono web framework allows attackers to forge JSON Web Tokens (JWTs) by confusing the verification algorithm. By swapping asymmetric algorithms (like RS256) for symmetric ones (HS256) in the token header, an attacker can trick the server into verifying the signature using its own public key as a shared secret.

TL;DR

Hono versions prior to 4.11.4 failed to enforce specific cryptographic algorithms in their JWT middleware. This classic 'Algorithm Confusion' flaw allows attackers to sign malicious tokens using the server's publicly available RSA public key, treating it as an HMAC secret. The result is a total authentication bypass. Update to 4.11.4 immediately and explicitly define your alg parameter.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-347
  • Attack Vector: Network
  • CVSS Score: 8.2 (High)
  • Confidentiality: Low (Access)
  • Integrity: High (Forgery)
  • Exploit Status: Poc Available

Affected Systems

  • Hono Web Framework (Node.js)
  • Hono on Cloudflare Workers
  • Hono on Deno
  • Hono on Bun
  • Hono: < 4.11.4 (Fixed in: 4.11.4)

Code Analysis

Commit: cc0aa7a

fix: make alg required for jwt and jwk middleware

@@ -1,5 +1,6 @@
-  const algorithm = key.alg || header.alg
+  if (!options.alg) throw new JwtAlgorithmRequired()
+  if (header.alg !== options.alg) throw new JwtAlgorithmMismatch()
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theory: Standard Algorithm Confusion Methodology

Mitigation Strategies

  • Enforce explicit algorithm definitions in middleware configuration.
  • Disable symmetric algorithm support (HS256/384/512) when using public key infrastructure.
  • Implement strong type checking for key material vs algorithm compatibility.

Remediation Steps:

  1. Update hono package to version 4.11.4.
  2. Audit all jwt() and jwk() middleware calls.
  3. Add the alg: 'RS256' (or appropriate algorithm) property to the configuration object.
  4. Redeploy the application.

References

Read the full report for CVE-2026-22817 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)