CVE-2025-62610 identifies an improper authorization vulnerability (CWE-285) in the Hono JavaScript web framework’s JWT Auth Middleware affecting versions from 1.1.0 to before 4.10.2. The core issue is the absence of built-in support for verifying the 'aud' (audience) claim in JWTs, which is a critical security check mandated by RFC 7519. The 'aud' claim is intended to ensure that a token is only accepted by the intended recipient service. Without this verification, an API may accept a token issued for a different service but signed by the same issuer and keys, leading to confused-deputy or token mix-up scenarios. This can allow an attacker who has a valid token for one service to gain unauthorized access to another service that shares the same issuer and signing keys, thereby breaching confidentiality and integrity. The vulnerability requires no privileges to exploit but does require the attacker to present a valid token (user interaction). The CVSS v3.1 score is 8.1 (high), reflecting the network attack vector, low complexity, no privileges required, and high impact on confidentiality and integrity. The vulnerability was publicly disclosed on October 22, 2025, and patched in Hono version 4.10.2. No known exploits have been reported in the wild as of now. This vulnerability is particularly relevant for architectures employing multiple microservices or APIs that rely on shared JWT issuers and keys but do not implement audience claim validation themselves.

For European organizations, the impact of this vulnerability can be significant, especially for those deploying microservices or distributed API architectures using the Hono framework versions prior to 4.10.2. The lack of audience claim verification can lead to unauthorized cross-service access, potentially exposing sensitive data or allowing unauthorized actions within internal services. This can compromise confidentiality and integrity of data and services, leading to data breaches, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Since the vulnerability does not affect availability, denial of service is unlikely. However, the ease of exploitation combined with the high impact on data confidentiality and integrity makes this a critical concern. Organizations using shared JWT issuers across multiple services are at heightened risk. The absence of known exploits currently provides a window for proactive remediation. Attackers could leverage stolen or intercepted tokens from one service to access others, bypassing intended access controls.

European organizations should immediately upgrade all Hono framework instances to version 4.10.2 or later, where the audience claim verification is properly implemented. Until upgrades are complete, organizations should implement custom middleware or token validation logic to enforce strict 'aud' claim checks according to RFC 7519, ensuring tokens are only accepted if the audience matches the intended service. Additionally, segregate JWT issuers and signing keys per service to reduce the risk of token misuse across services. Employ robust token issuance policies, including short token lifetimes and secure storage. Conduct thorough audits of all services using Hono to identify shared issuer/key usage and implement compensating controls. Monitor logs for anomalous token usage patterns indicative of token mix-up exploitation attempts. Educate developers and security teams about the importance of audience claim validation in JWT processing. Finally, integrate automated security testing in CI/CD pipelines to detect missing audience validation in future development.