CVE-2026-44459

Summary

Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.

Details

The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:

• A falsy numeric value short-circuited the presence check.
• A non-finite numeric value compared as never-after-now and never-expired.
• A non-numeric type produced NaN comparisons that evaluated false.

This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.

Impact

An actor able to issue tokens accepted by the application may craft tokens whose exp, nbf, or iat claims silently bypass time-based enforcement. This may lead to:

• Tokens treated as never expiring even with exp configured on the verifier.
• Tokens with a future nbf accepted as currently valid.
• Tokens with a future iat accepted as legitimately issued.

Deployments using a well-formed token issuer and protecting the signing key are not affected.