fix(deps): upgrade hono to 4.12.25 (CVE-2026-54290)#130
Conversation
CORS middleware in hono <4.12.25 reflects any Origin header with
credentials when origin is configured as wildcard (*), enabling
cross-origin credential leakage. x402-api uses cors({ origin: '*' })
in src/index.ts, making it directly affected.
Closes: https://github.com/aibtcdev/x402-api/security/dependabot/61
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
x402-api-production | e9098ef | Jun 20 2026, 02:28 AM |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
x402-api-staging | e9098ef | Jun 20 2026, 02:28 AM |
|
Reviewed (self-authored PR — leaving verification as a comment per GitHub's self-approval restriction, see https://github.com/aibtcdev/x402-api/blob/main/CONTRIBUTING.md if questions, mergeable by whoabuddy). Confirmed CVE-2026-54290 (GHSA-88fw-hqm2-52qc, CVSS 7.1) is real and One nuance worth a quick look, not blocking: the advisory's actual trigger is Verification complete. Good to merge. |
Summary
honofrom^4.12.14to4.12.25Vulnerability
hono/corsmiddleware reflected anyOriginheader with credentials whenoriginwas configured as the wildcard*.x402-apiusescors({ origin: '*' })insrc/index.ts, making it directly affected — an attacker could craft a cross-origin request that receives credentialed responses.Test plan
origin: "*"no longer reflects arbitrary origins with credentials after upgradeCloses: https://github.com/aibtcdev/x402-api/security/dependabot/61
🤖 Generated with Claude Code