GHSA-gq3j-xvxp-8hrf
Hono added timing comparison hardening in basicAuth and bearerAuth
Details
## Summary
The `basicAuth` and `bearerAuth` middlewares previously used a comparison that was not fully timing-safe.
The `timingSafeEqual` function used normal string equality (`===`) when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing differences.
The implementation has been updated to use a safer comparison method.
## Details
The issue was caused by the use of normal string equality (`===`) when comparing hash values inside the `timingSafeEqual` function.
In JavaScript, string comparison may stop as soon as a difference is found. This means the comparison time can slightly vary depending on how many characters match.
Under very specific and controlled conditions, this behavior could theoretically allow timing-based analysis.
The implementation has been updated to:
- Avoid early termination during comparison - Use a constant-time-style comparison method
## Impact
This issue is unlikely to be exploited in normal environments.
It may only be relevant in highly controlled situations where precise timing measurements are possible.
This change is considered a security hardening improvement. Users are encouraged to upgrade to the latest version.
Are you affected?
Enter the version of the package you're using.