CVE-2023-50710: 
JavaScript vulnerability analysis and mitigation

Hono, a web framework written in TypeScript, disclosed a vulnerability (CVE-2023-50710) affecting versions prior to 3.11.7. The vulnerability allows clients to override named path parameter values from previous requests when using TrieRouter, potentially enabling privileged users to use unintended parameters when deleting REST API resources. This issue affects applications using TrieRouter either explicitly or when matching patterns not supported by the default RegExpRouter (GitHub Advisory).

The vulnerability stems from a design flaw in the TrieRouter implementation where path parameters from previous requests could persist and be overridden in subsequent requests. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N by NIST NVD, while GitHub assessed it with a score of 4.2 (Medium) and vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L (NVD).

The vulnerability could allow attackers to manipulate path parameters in REST API requests, potentially leading to unauthorized resource modifications or deletions. This is particularly concerning in scenarios where path parameters are used to identify resources in DELETE operations (GitHub Advisory).

The vulnerability has been fixed in version 3.11.7. Users are strongly advised to upgrade to this version immediately. As a workaround, users can avoid using TrieRouter directly. For Deno users, this involves updating the version specifier to v3.11.7, while Node.js users should update the hono package using npm install, yarn add, or pnpm up commands (GitHub Release).

The vulnerability was responsibly disclosed and promptly patched by the Hono development team. The project maintainers have enabled GitHub's private vulnerability reporting feature for future security issues and encourage immediate reporting of any discovered vulnerabilities (GitHub Release).