The hono JavaScript web framework before version 4.12.18 improperly validates JWT NumericDate claims (expiration, not before, issued at) in its JWT utility module. This improper validation allows tokens containing malformed claim values that do not conform to the JWT specification to bypass time-based verification checks. The vulnerability is not exploitable by anonymous attackers and typically requires the attacker to control token issuance or the signing key. The issue is addressed in hono version 4.12.18.

Tokens with malformed NumericDate claims can bypass expiration and validity period checks, potentially allowing extended or unauthorized token usage. However, exploitation requires the attacker to have privileged access to issue tokens or control the signing key, limiting the risk to scenarios involving insider threats or compromised signing credentials. The CVSS score is 3.8 (low severity), reflecting limited impact and exploitability.

Upgrade to hono version 4.12.18 or later, where this vulnerability is fixed. Since the vendor advisory confirms the fix in 4.12.18, applying this update fully mitigates the issue. No additional mitigation steps are indicated.