Hono ErrorBoundary: When the Safety Net is the Trap
Vulnerability ID: CVE-2026-24771
CVSS Score: 4.7
Published: 2026-01-28
In a twist of irony, the component designed to handle crashes in the Hono framework became a vector for crashes of a different kind. CVE-2026-24771 reveals how the ErrorBoundary component in Hono's JSX middleware bypassed the framework's own XSS protections, turning harmless error states into dangerous injection vectors.
TL;DR
Hono's ErrorBoundary component was manually marking its child content as 'raw' (safe) HTML. This allowed attackers to inject malicious scripts if user input was rendered inside the boundary. Fixed in v4.11.7 by using standard JSX Fragments.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- CVSS Score: 4.7 (Medium)
- Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
- EPSS Score: 0.00036
- Attack Vector: Network / Reflected
- Vendor: Hono
Affected Systems
- Hono Framework (Node.js)
- Hono Framework (Cloudflare Workers)
- Hono Framework (Bun)
- Hono Framework (Deno)
-
hono: < 4.11.7 (Fixed in:
4.11.7)
Code Analysis
Commit: 2cf6004
fix: ErrorBoundary renders children as raw
- return raw(resArray.join(''))
+ return Fragment({ children: resArray as Child[] })
Mitigation Strategies
- Update Hono framework to version 4.11.7 or later.
- Audit codebase for uses of wrapping user-controlled input.
- Implement Content Security Policy (CSP) to restrict script execution sources.
Remediation Steps:
- Run
npm list honoto check your current version. - Run
npm install hono@latestto upgrade. - Verify the fix by attempting to render a string containing HTML tags inside an ErrorBoundary; the tags should appear as text (escaped) rather than elements.
References
Read the full report for CVE-2026-24771 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)