Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe. This can allow an attacker to bypass CSRF protection implemented with Hono CSRF middleware. Version 4.6.5 fixes this issue.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/48xxx/CVE-2024-48913.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-352"
]
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "4.6.5"
}
]
}