Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.7
Apache Hono: Insecure String Comparison in Authentication
GHSA-gq3j-xvxp-8hrf
Summary
A security update has been made to the Apache Hono authentication system to prevent potential timing attacks. This change ensures a safer comparison of sensitive data. It's recommended to update to the latest version to take advantage of this security improvement.
What to do
- Update yusukebe hono to version 4.11.10.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| yusukebe | hono | <= 4.11.10 | 4.11.10 |
Original title
Hono added timing comparison hardening in basicAuth and bearerAuth
Original description
## Summary
The `basicAuth` and `bearerAuth` middlewares previously used a comparison that was not fully timing-safe.
The `timingSafeEqual` function used normal string equality (`===`) when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing differences.
The implementation has been updated to use a safer comparison method.
## Details
The issue was caused by the use of normal string equality (`===`) when comparing hash values inside the `timingSafeEqual` function.
In JavaScript, string comparison may stop as soon as a difference is found. This means the comparison time can slightly vary depending on how many characters match.
Under very specific and controlled conditions, this behavior could theoretically allow timing-based analysis.
The implementation has been updated to:
- Avoid early termination during comparison
- Use a constant-time-style comparison method
## Impact
This issue is unlikely to be exploited in normal environments.
It may only be relevant in highly controlled situations where precise timing measurements are possible.
This change is considered a security hardening improvement. Users are encouraged to upgrade to the latest version.
The `basicAuth` and `bearerAuth` middlewares previously used a comparison that was not fully timing-safe.
The `timingSafeEqual` function used normal string equality (`===`) when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing differences.
The implementation has been updated to use a safer comparison method.
## Details
The issue was caused by the use of normal string equality (`===`) when comparing hash values inside the `timingSafeEqual` function.
In JavaScript, string comparison may stop as soon as a difference is found. This means the comparison time can slightly vary depending on how many characters match.
Under very specific and controlled conditions, this behavior could theoretically allow timing-based analysis.
The implementation has been updated to:
- Avoid early termination during comparison
- Use a constant-time-style comparison method
## Impact
This issue is unlikely to be exploited in normal environments.
It may only be relevant in highly controlled situations where precise timing measurements are possible.
This change is considered a security hardening improvement. Users are encouraged to upgrade to the latest version.
ghsa CVSS3.1
3.7
Vulnerability type
CWE-208
Published: 19 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026