CVE-2025-62610 – Hono's JWT Auth Middleware lacks built-in audie... (How to Fix)

Q: What is the severity of CVE-2025-62610?

CVE-2025-62610 has a CVSS score of 8.1 (HIGH). Hono's JWT Auth Middleware lacks built-in audience (aud) claim verification, allowing valid tokens issued for different services to be accepted when multiple services share the same issuer/keys. This confused-deputy vulnerability enables unintended cross-service access. Affects Hono versions 1.1.0 through 4.10.1.

📋 TL;DR

Hono's JWT Auth Middleware lacks built-in audience (aud) claim verification, allowing valid tokens issued for different services to be accepted when multiple services share the same issuer/keys. This confused-deputy vulnerability enables unintended cross-service access. Affects Hono versions 1.1.0 through 4.10.1.

💻 Affected Systems

Products:

Hono

Versions: 1.1.0 to 4.10.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using JWT Auth Middleware with multiple services sharing issuer/keys.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could use tokens from one service to gain unauthorized access to another service sharing the same issuer, potentially leading to data breaches, privilege escalation, or service compromise.

🟠

Likely Case

Accidental or intentional token reuse across services in multi-service architectures, causing authorization bypass and unintended data access.

🟢

If Mitigated

Proper audience verification prevents token reuse, limiting access to intended services only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining a valid JWT token from another service sharing the same issuer/keys.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.10.2

Vendor Advisory: https://github.com/honojs/hono/security/advisories/GHSA-m732-5p4w-x69g

Restart Required: Yes

Instructions:

1. Update Hono package to version 4.10.2 or later. 2. Restart the application. 3. Configure audience verification in JWT middleware if using aud claims.

🔧 Temporary Workarounds

Manual Audience Verification

all

Implement custom middleware to verify aud claim matches expected service identifier.

// Example: Add custom JWT verification middleware
app.use('/api/*', async (c, next) => {
  const token = c.req.header('Authorization')?.split(' ')[1];
  if (token) {
    const payload = jwt.verify(token, secret);
    if (payload.aud && payload.aud !== 'expected-audience') {
      return c.text('Invalid audience', 401);
    }
  }
  await next();
});

🧯 If You Can't Patch

Implement network segmentation to isolate services sharing JWT issuer/keys.
Use different JWT signing keys for each service to prevent token reuse.

🔍 How to Verify

Check if Vulnerable:

Check package.json for Hono version between 1.1.0 and 4.10.1 and verify JWT middleware configuration lacks aud verification.

Check Version:

npm list hono

Verify Fix Applied:

Confirm Hono version is 4.10.2 or later and test JWT tokens with mismatched aud claims are rejected.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts with valid tokens from unexpected services
JWT verification logs showing missing aud validation

Network Indicators:

Unusual cross-service API calls using shared JWT tokens

SIEM Query:

source="application.log" AND ("JWT" AND "audience" AND "invalid")

📊 Metadata

CVE ID: CVE-2025-62610

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-285

Published: October 22, 2025

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://github.com/honojs/hono/commit/45ba3bf9e3dff8e4bd85d6b47d4b71c8d6c66bef Patch
https://github.com/honojs/hono/security/advisories/GHSA-m732-5p4w-x69g Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON