CVE-2025-62610: 
JavaScript vulnerability analysis and mitigation

Hono's JWT Auth Middleware (versions 1.1.0 to before 4.10.2) contains a vulnerability related to improper authorization in JWT audience validation. The middleware did not validate the aud (Audience) claim by default, which could allow tokens intended for different audiences to be accepted, potentially leading to cross-service access through token mix-up attacks (GitHub Advisory).

The vulnerability stems from the middleware's verifyOptions only enumerating iss, nbf, iat, and exp claims, without including aud validation. This omission violates RFC 7519 §4.1.3, which requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. The vulnerability has been assigned CVE-2025-62610 with a CVSS v3.1 score of 8.1 (HIGH), having a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (GitHub Advisory, NVD).

The vulnerability primarily affects Hono users who share an issuer/keys across multiple services (common with a single IdP/JWKS) and distinguish tokens by intended recipient using aud. It can lead to cross-service access where a token for Service B may be accepted by Service A, and boundary erosion where ID tokens and access tokens can be intermixed. For example, in Google Identity (OIDC) implementations, an attacker could obtain a valid ID token for a victim user from a separate service and use it to access the API with the victim's privileges (GitHub Advisory).

The issue has been patched in version 4.10.2. Users should upgrade to this version and enable RFC 7519-compliant audience validation using the new verification.aud configuration option. The recommended secure configuration involves explicitly setting the aud parameter in the JWT middleware configuration (GitHub Advisory).