GHSA-hgxw-5xg3-69jx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hgxw-5xg3-69jx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-hgxw-5xg3-69jx/GHSA-hgxw-5xg3-69jx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hgxw-5xg3-69jx
- Aliases
- Related
- Published
- 2024-04-19T19:48:40Z
- Modified
- 2024-04-19T21:44:10Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
- Details
-
Impact
The application hangs when receiving a Host header with a value that
@hono/node-servercan't handle well. Invalid values are those that cannot be parsed by theURLas a hostname such as an empty string, slashes/, and other strings.For example, if you have a simple application:
import { serve } from '@hono/node-server' import { Hono } from 'hono' const app = new Hono() app.get('/', (c) => c.text('Hello')) serve(app)Sending a request with a Host header with an empty value to it:
curl localhost:3000/ -H "Host: "The results:
node:internal/url:775 this.#updateContext(bindingUrl.parse(input, base)); ^ TypeError: Invalid URL at new URL (node:internal/url:775:36) at newRequest (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:137:17) at Server.<anonymous> (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:399:17) at Server.emit (node:events:514:28) at Server.emit (node:domain:488:12) at parserOnIncoming (node:_http_server:1143:12) at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) { code: 'ERR_INVALID_URL', input: 'http:///' }Patches
The version
1.10.1includes the fix for this issue. But, you should use1.11.0, which has other fixes related to this issue. https://github.com/honojs/node-server/issues/160 https://github.com/honojs/node-server/issues/161Workarounds
Nothing. Upgrade your
@hono/node-server.References
https://github.com/honojs/node-server/issues/159
- Database specific
{ "github_reviewed_at": "2024-04-19T19:48:40Z", "severity": "HIGH", "nvd_published_at": "2024-04-19T19:15:07Z", "github_reviewed": true, "cwe_ids": [ "CWE-755" ] }- References
-
- https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx
- https://nvd.nist.gov/vuln/detail/CVE-2024-32652
- https://github.com/honojs/node-server/issues/159
- https://github.com/honojs/node-server/issues/161
- https://github.com/honojs/node-server/commit/306d98f02a8671a0a1fb91ac8fe7e281690c05af
- https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204
- https://github.com/honojs/node-server
Affected packages
npm / @hono/node-server
Package
- Name
- @hono/node-server
- View open source insights on deps.dev
- Purl
- pkg:npm/%40hono/node-server