Observable Timing Discrepancy in hono

Cx5f84137a-beef

hono

Low

3.7/10

Summary

The basicAuth and bearerAuth middlewares previously used a comparison that was not fully timing-safe. The timingSafeEqual function used normal string equality (===) when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing differences. The implementation has been updated to use a safer comparison method. This affects version prior to 4.11.10.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-208 - Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

Advisory Timeline

Published Feb 18, 2026

Observable Timing Discrepancy in hono

Cx5f84137a-beef

Summary

CWE-208 - Observable Timing Discrepancy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS