Listen to this Post
The vulnerability resides in `hono/utils/jwt` where the `verify()` function fails to correctly validate the exp, nbf, and `iat` claims. The validation routine uses a single short‑circuiting expression that combines presence and numeric checks. This allows malformed values to bypass the checks entirely. A falsy numeric value short‑circuits the presence check. A non‑finite numeric value (e.g. Infinity) causes comparisons that evaluate as never‑expired or never‑after‑now. A non‑numeric type (e.g. a string or null) yields `NaN` comparisons that always evaluate to false. Consequently, tokens with such malformed claims are accepted, ignoring the intended time‑based restrictions. This deviates from RFC 7519 §4.1.4, which defines a NumericDate as a finite JSON numeric. The issue is not exploitable by an anonymous attacker; it only matters when the application itself issues malformed tokens or when the signing key is under the attacker’s control.
dailycve form:
Platform: hono
Version: <4.12.18
Vulnerability: Improper Validation
Severity: Low
date: 2026‑05‑09
Prediction: 2026‑05‑09
Analytics under heading What Undercode Say:
Check if a token has malformed NumericDate claims
jq -R 'split(".") | .[bash] | @base64d | fromjson' <<< "HEADER.PAYLOAD.SIGNATURE"
Test token with invalid 'exp' (e.g., Infinity) that bypasses validation
PAYLOAD=$(echo -n '{"exp":Infinity}' | base64 | tr -d '=')
HEADER=$(echo -n '{"alg":"none"}' | base64 | tr -d '=')
TOKEN="$HEADER.$PAYLOAD."
echo $TOKEN
// Validate a token using Hono's JWT utility (pre‑patch)
import { jwtVerify } from 'hono/utils/jwt';
try {
await jwtVerify(token, secret);
console.log('Token accepted (bypasses expiry)');
} catch (e) {
console.log('Rejected');
}
Exploit:
Craft a JWT where exp, `nbf` or `iat` is set to Infinity, NaN, null, `”string”` or 0. The short‑circuiting validation will accept it, making it never expire or always valid. This allows an attacker with token‑issuing capability to bypass time‑based checks, enabling indefinite token reuse.
Protection from this CVE
Upgrade to Hono ≥4.12.18. If immediate upgrade is impossible, replace the vulnerable `verify()` with a custom validator that strictly enforces RFC 7519 numeric checks. Ensure all JWT issuers generate compliant claims.
Impact
Able to issue malformed tokens, an attacker can bypass all time‑based enforcement. Tokens become non‑expiring even when an `exp` is configured, future `nbf` tokens are accepted as current, and future `iat` tokens are treated as legitimately issued. Only deployments with well‑formed token issuers and protected signing keys are unaffected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
