Listen to this Post
CVE-2026-59896
Hono is a Web application framework that provides support for any JavaScript runtime. From version 4.11.8 before 4.12.27, the `hono/jsx` module did not isolate context values per request during server-side rendering (SSR). This allowed createContext, useContext, jsxRenderer, or `useRequestContext` data from a different in-flight request to be used after an `await` in an async component.
The root cause is that during SSR, context was stored in a process-wide structure instead of being scoped per request. When an async JSX component hits an `await` suspension point, the execution yields control. If another concurrent request renders through the same provider stack during this suspension, the original request may resume and observe the second request’s context values instead of its own. This creates a classic async context bleed vulnerability.
On runtimes without AsyncLocalStorage, the vulnerable path falls back to a process-local store only for synchronous work; a `useContext()` read after `await` in an async SSR component can degrade to the context’s default value rather than retain the request’s provided value. The leak is limited to server-side rendering in the async-suspension path; synchronous components and client-side DOM rendering are not affected.
The vulnerability affects all versions from 4.11.8 through 4.12.26. An attacker can trigger this race condition by causing concurrent SSR requests to overlap at async suspension points, potentially leaking sensitive user-specific data such as authentication tokens, session data, user IDs, or authorization context across different user sessions. This vulnerability is fixed in version 4.12.27, which adds proper AsyncLocalStorage-based request isolation for all JSX context primitives.
DailyCVE Form:
Platform: Hono (Node.js, Bun, Deno, Cloudflare Workers)
Version: 4.11.8 – 4.12.26
Vulnerability: Async Context Bleed (Race Condition)
Severity: Medium (CVSS 6.5 – 8.3)
date: July 8, 2026
Prediction: July 8, 2026 (4.12.27 released)
What Undercode Say:
Analytics:
The vulnerability manifests in production under concurrency. Low-traffic staging environments rarely reproduce it, making it particularly insidious. Hono now pulls 44 million weekly npm downloads and powers Cloudflare’s own infrastructure. The EPSS probability is 0.19% (9th percentile). Snyk’s CVSS assessment rates this as 8.3 High with the following vector:
– Attack Vector: Network
– Attack Complexity: Low
– Attack Requirements: Present
– Privileges Required: None
– User Interaction: None
– Confidentiality Impact: High
– Integrity Impact: Low
– Availability Impact: None
Bash Commands & Codes:
Check current Hono version npm list hono Upgrade to patched version npm install [email protected] Verify upgrade npm list hono | grep 4.12.27 Audit for vulnerable versions npm audit | grep hono
Vulnerable Code Pattern:
import { createContext, useContext } from 'hono/jsx'
const UserContext = createContext(null)
// Async component with await - VULNERABLE
async function Profile() {
const user = await fetchUserData() // <-- Suspension point
const ctx = useContext(UserContext) // <-- May return another request's context
return
<div>{ctx.userId}</div>
}
Fixed Code Pattern (4.12.27):
// Context is now isolated per request via AsyncLocalStorage // The fix isolates context per render so the provided value // is preserved until the render's Promise resolves
Prisma Users Note:
Prisma’s `@prisma/dev` package carries Hono as a transitive dependency. Every Prisma 7.x project will surface these CVEs in `npm audit` output.
Exploit:
An attacker can exploit this vulnerability by:
- Sending concurrent requests to an SSR endpoint that uses async JSX components with context APIs
- Timing the requests so that one request suspends on an `await` (e.g., database query, fetch)
- While suspended, another concurrent request renders through the same provider stack
- The original request resumes and `useContext()` returns the second request’s context values
Impact of successful exploitation:
- User A’s authentication token rendered in User B’s response
- User A’s session data leaked to User B
- Authorization checks using `useRequestContext()` evaluate against wrong user
- Request-scoped decisions use incorrect user context
Protection:
- Upgrade immediately to Hono version 4.12.27 or higher
- If unable to upgrade immediately, avoid using
createContext/useContext/jsxRenderer/useRequestContextinside async JSX components with `await` suspension points
3. Consider using synchronous components for context-dependent rendering
- Monitor for unusual data leakage patterns in production logs
- Run `npm audit` and address all Hono-related vulnerabilities
Impact:
- Confidentiality: High – user-specific data can leak across requests
- Integrity: Limited – authorization checks may use wrong user context
- Availability: None – service remains operational
- Affected components:
hono/jsx, `hono/jsx-renderer`
– Attack prerequisites: Server must handle concurrent SSR requests with async components using context APIs - Real-world severity: This vulnerability passes local tests and only surfaces under production concurrency
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

