GHSA-92vj-g62v-jqhh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-92vj-g62v-jqhh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-92vj-g62v-jqhh/GHSA-92vj-g62v-jqhh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-92vj-g62v-jqhh
- Aliases
- Published
- 2025-09-12T21:12:20Z
- Modified
- 2025-09-12T21:57:18.079861Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- Hono has Body Limit Middleware Bypass
- Details
-
Summary
A flaw in the
bodyLimitmiddleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present.Details
The middleware previously prioritized the
Content-Lengthheader even when aTransfer-Encoding: chunkedheader was also included. According to the HTTP specification,Content-Lengthmust be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit.Most standards-compliant runtimes and reverse proxies may reject such malformed requests with
400 Bad Request, so the practical impact depends on the runtime and deployment environment.Impact
If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests.
Resolution
The implementation has been updated to align with the HTTP specification, ensuring that
Transfer-Encodingtakes precedence overContent-Length. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately. - Database specific
{ "github_reviewed_at": "2025-09-12T21:12:20Z", "github_reviewed": true, "cwe_ids": [ "CWE-400", "CWE-770" ], "nvd_published_at": "2025-09-12T14:15:41Z", "severity": "MODERATE" }- References
Affected packages
npm / hono
Package
- Name
- hono
- View open source insights on deps.dev
- Purl
- pkg:npm/hono