GHSA-gq3j-xvxp-8hrf: Hono added timing comparison hardening in basicAuth and bearerAuth

February 19, 2026

The basicAuth and bearerAuth middlewares previously used a comparison that was not fully timing-safe.

The timingSafeEqual function used normal string equality (===) when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing differences.

The implementation has been updated to use a safer comparison method.

References

github.com/advisories/GHSA-gq3j-xvxp-8hrf
github.com/honojs/hono
github.com/honojs/hono/commit/91def7cab654bad5eecc9270e6620d577971ff5e
github.com/honojs/hono/releases/tag/v4.11.10
github.com/honojs/hono/security/advisories/GHSA-gq3j-xvxp-8hrf

Code Behaviors & Features

Detect and mitigate GHSA-gq3j-xvxp-8hrf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →