Aikido Security Patch: Hono & Clerk/Shared Vulnerabilities Expose Routes to Unauthorized Access & XSS

Aikido has issued a critical security patch addressing two vulnerabilities in its dependencies: a middleware bypass in the Hono framework and a JSX attribute injection in the @clerk/shared library. The first flaw could allow attackers to circumvent authentication and access protected routes, while the second enables HTML injection and cross-site scripting (XSS) attacks. These issues represent a direct threat to application security, requiring immediate dependency upgrades to mitigate potential unauthorized access and client-side code execution.

The vulnerabilities are rooted in specific versions of the `hono` and `@clerk/shared` packages. The Hono middleware bypass is particularly severe for applications relying on its routing for access control. The @clerk/shared JSX injection flaw could be exploited to manipulate web page content. Aikido's analysis confirms the core codebase is not directly affected by breaking changes from the Hono upgrade, as it uses React JSX exclusively and does not utilize Hono's JSX/SSR features or its AWS Lambda adapter. The framework is only present as a transitive dependency via `@modelcontextprotocol/sdk` and as a peer dependency of `inngest`.

This incident highlights the persistent security risks within modern software supply chains, where indirect dependencies can introduce critical vulnerabilities. For development teams using Hono for server-side rendering or Clerk for authentication, this patch is non-negotiable. The silent nature of these flaws—bypassing middleware and injecting code—means exploitation could occur without obvious signs of compromise, placing user data and system integrity at immediate risk until the updates are fully deployed.