Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-exploitable with no auth required; no confidentiality impact per advisory; low integrity and low availability impact from payload size bypass and elevated resource use.
Primary rating from Vendor (https://github.com/honojs/hono).
CVSS VectorVendor: https://github.com/honojs/hono
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 53 npm packages depend on hono (34 direct, 19 indirect)
Ecosystem-wide dependent count for version 4.12.25.
DescriptionCVE.org
Summary
The Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declared Content-Length, which need not match the actual payload. A client can declare a tiny Content-Length while sending a much larger body, slipping past the limit.
Details
When Content-Length is present and Transfer-Encoding is absent, the middleware compares the declared value against the limit and passes the request through if it is small enough. On standards-based runtimes the transport enforces that Content-Length matches the body, so this is safe. The Lambda adapters instead reconstruct the request from a buffered payload and copy the client's Content-Length verbatim, so the declared length and the real body size are decoupled.
This issue affects applications deployed on AWS Lambda that rely on the Body Limit Middleware to cap request body size.
Impact
The declared body-size limit can be bypassed: a handler reads a payload larger than the configured maximum. Processing the oversized payload (large JSON, multipart, etc.) consumes additional CPU and memory per request. The payload remains bounded by the platform's request size limits, and Lambda isolates invocations, so the impact is increased per-request resource usage rather than full denial of service. This affects applications deployed on AWS Lambda that use the Body Limit Middleware.
AnalysisAI
Body Limit Middleware bypass in Hono (npm/hono < 4.12.25) allows unauthenticated remote clients to send payloads exceeding the configured size limit when the application is deployed on AWS Lambda. By understating the Content-Length request header, attackers exploit the Lambda adapter's trust of client-declared header values to slip oversized bodies - large JSON, multipart uploads, etc. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the application must be deployed on AWS Lambda using one of the affected adapters - API Gateway v1/v2, ALB, VPC Lattice, or Lambda@Edge; (2) the application must use Hono's Body Limit Middleware as its mechanism for capping incoming payload size; (3) the hono package version must be below 4.12.25. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS score of 6.5 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N reflects low attack complexity and no authentication requirement, both consistent with the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a Hono application on AWS Lambda sends an HTTP POST with the header `Content-Length: 50` but a body containing several megabytes of JSON or multipart data. The Body Limit Middleware reads the declared 50-byte value, determines it is below the configured limit, and passes the request to the handler without inspecting the actual payload size. … |
| Remediation | Upgrade the hono npm package to version 4.12.25 or later, which corrects the Body Limit Middleware to verify actual payload size rather than trusting the client-supplied Content-Length header; run `npm install hono@4.12.25` or the equivalent for your package manager. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38331
GHSA-rv63-4mwf-qqc2