CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-24771

Hono ErrorBoundary: When the Safety Net is the Trap

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 29, 2026·5 min read·32 visits

Executive Summary (TL;DR)

Hono's `ErrorBoundary` component was manually marking its child content as 'raw' (safe) HTML. This allowed attackers to inject malicious scripts if user input was rendered inside the boundary. Fixed in v4.11.7 by using standard JSX Fragments.

In a twist of irony, the component designed to handle crashes in the Hono framework became a vector for crashes of a different kind. CVE-2026-24771 reveals how the `ErrorBoundary` component in Hono's JSX middleware bypassed the framework's own XSS protections, turning harmless error states into dangerous injection vectors.

The Hook: The Safety Net That Wasn't

We all love an ErrorBoundary. It's the digital equivalent of an airbag—there to catch you when your code inevitably hits a wall. In the React ecosystem and its spiritual successors like Hono, these components are supposed to be inert wrappers that only wake up when something goes boom.

But in hono/jsx, the airbag was packed with shrapnel. The ErrorBoundary component wasn't just catching errors; it was aggressively interfering with the rendering pipeline. Instead of letting the JSX engine do its job (which includes sanitizing untrusted input), the component took a shortcut that effectively disabled the framework's immune system.

This vulnerability is a classic reminder that "helper" code often bypasses the strict security controls applied to the core logic. While developers were busy sanitizing their inputs elsewhere, this component was quietly whispering to the renderer: "Don't worry about this data, I've checked it. It's totally safe." Spoiler alert: It wasn't.

The Flaw: Accidental Trust

The root of the issue lies in how Hono handled the rendering of children within the ErrorBoundary. In a typical JSX environment, if you try to render a string like <script>alert(1)</script>, the engine escapes the angle brackets to &lt; and &gt;. This is XSS Defense 101.

However, the ErrorBoundary implementation in versions prior to 4.11.7 decided to go rogue. Instead of passing the children down the pipeline as nodes, it manually converted them to strings, concatenated them, and then—here is the fatal flaw—wrapped the entire blob in a raw() function call.

In Hono, raw() is the magic word that tells the framework, "This string is already safe HTML. Do not escape it." By applying this to the entire output of the component, the developers inadvertently authorized any malicious payload contained within the children to execute in the browser. It’s the equivalent of checking IDs at the club entrance but letting anyone with a "VIP" sticker walk in with a flamethrower—and then slapping a "VIP" sticker on everyone who walks through the door.

The Code: The Smoking Gun

Let's look at the crime scene in src/jsx/components.ts. The code tries to manage asynchronous children (Promises) and synchronous children together. In doing so, it forces a conversion to string and then bypasses safety checks.

The Vulnerable Code (Pre-4.11.7):

// 1. Convert everything to a string
resArray = children.map((c) =>
  c == null || typeof c === 'boolean' ? '' : c.toString()
)
 
// ... logic for promises ...
 
// 2. The Fatal Flaw: Joining strings and marking them as RAW
return raw(resArray.join(''))

The function c.toString() returns the string representation. If c is the string <img src=x...>, toString() returns exactly that. Then raw() marks it as safe.

The Fix (4.11.7):

import { Fragment } from './base'
 
// The fix relies on standard JSX composition
// We cast to Child[] and let the engine decide how to render it
return Fragment({ children: resArray as Child[] })

The fix is elegant in its simplicity. Instead of hacking the string concatenation, the maintainers switched to using a Fragment. This keeps the children as distinct nodes in the virtual DOM (or Hono's equivalent), ensuring that string nodes are subjected to standard escaping rules before they hit the wire.

The Exploit: Crashing into XSS

Exploiting this requires a scenario where an attacker can reflect input inside an ErrorBoundary. While ErrorBoundary is usually placed high up in the component tree (like in a Layout), developers often use it granularly around widgets.

The Setup: Imagine a developer wraps a user profile card in an ErrorBoundary because the profile data fetches might fail.

app.get('/user', (c) => {
  const name = c.req.query('name') // User controlled!
  return c.html(
    <ErrorBoundary fallback={<div>Failed to load</div>}>
      <div class="profile">
        Welcome, {name}
      </div>
    </ErrorBoundary>
  )
})

The Payload: An attacker sends a link: https://example.com/user?name=<img src=x onerror=alert(document.cookie)>

The Execution Flow:

  1. The name variable enters the JSX tree.
  2. Inside <ErrorBoundary>, name is part of the children array.
  3. The vulnerable component calls .toString() on the child, preserving the <img...> tag.
  4. It joins the array and wraps it in raw().
  5. The browser receives unescaped HTML and executes the JavaScript.

This bypasses the developer's expectation that {name} is safe because it's inside curly braces. It turns a standard reflected value into a stored-like XSS vector.

The Mitigation: Patch or Perish

The fix is straightforward: Update hono to version 4.11.7 or higher. The Hono team responded quickly, and the patch essentially removes the dangerous logic entirely in favor of standard composition.

If you are stuck on an older version (perhaps due to other dependencies), you are in a tight spot. You cannot monkey-patch the ErrorBoundary easily without forking the package. Your best interim defense is to manually sanitize every variable passed into an ErrorBoundary using Hono's escapeHtml utility:

import { escapeHtml } from 'hono/utils/html'
 
<ErrorBoundary>
  {escapeHtml(userInput)} {/* Double escaping is better than XSS */}
</ErrorBoundary>

However, since ErrorBoundary is often used deeply within libraries or layouts, finding every usage is tedious and error-prone. Just upgrade the package. It's lighter than your guilt will be after a breach.

Official Patches

HonoGitHub Commit Fix

Fix Analysis (1)

Technical Appendix

CVSS Score
4.7/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Probability
0.04%
Top 90% most exploited

Affected Systems

Hono Framework (Node.js)Hono Framework (Cloudflare Workers)Hono Framework (Bun)Hono Framework (Deno)

Affected Versions Detail

Product
Affected Versions
Fixed Version
hono
Hono
< 4.11.74.11.7
AttributeDetail
CWE IDCWE-79
CVSS Score4.7 (Medium)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score0.00036
Attack VectorNetwork / Reflected
VendorHono

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vulnerability Timeline

Vulnerability Disclosed
2026-01-27
Patch v4.11.7 Released
2026-01-27
GHSA Advisory Published
2026-01-28

References & Sources

  • [1]GHSA Advisory
  • [2]Hono Documentation

More Reports

•about 7 hours ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
4 views•7 min read
•about 8 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 8 hours ago•CVE-2026-49754
8.2

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 9 hours ago•CVE-2026-48596
2.1

CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.

Alon Barad
Alon Barad
5 views•6 min read
•about 9 hours ago•CVE-2026-48594
8.2

CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client

An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 10 hours ago•CVE-2026-48595
8.2

CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass

A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.

Alon Barad
Alon Barad
6 views•5 min read