Skip to main content

Hono CVE-2026-54288

| EUVDEUVD-2026-38331 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-16 https://github.com/honojs/hono GHSA-rv63-4mwf-qqc2
6.5
CVSS 3.1 · Vendor: https://github.com/honojs/hono
Share

Severity by source

Vendor (https://github.com/honojs/hono) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network-exploitable with no auth required; no confidentiality impact per advisory; low integrity and low availability impact from payload size bypass and elevated resource use.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/honojs/hono).

CVSS VectorVendor: https://github.com/honojs/hono

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 15:21 vuln.today
Analysis Generated
Jun 16, 2026 - 15:21 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 53 npm packages depend on hono (34 direct, 19 indirect)

Ecosystem-wide dependent count for version 4.12.25.

DescriptionCVE.org

Summary

The Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declared Content-Length, which need not match the actual payload. A client can declare a tiny Content-Length while sending a much larger body, slipping past the limit.

Details

When Content-Length is present and Transfer-Encoding is absent, the middleware compares the declared value against the limit and passes the request through if it is small enough. On standards-based runtimes the transport enforces that Content-Length matches the body, so this is safe. The Lambda adapters instead reconstruct the request from a buffered payload and copy the client's Content-Length verbatim, so the declared length and the real body size are decoupled.

This issue affects applications deployed on AWS Lambda that rely on the Body Limit Middleware to cap request body size.

Impact

The declared body-size limit can be bypassed: a handler reads a payload larger than the configured maximum. Processing the oversized payload (large JSON, multipart, etc.) consumes additional CPU and memory per request. The payload remains bounded by the platform's request size limits, and Lambda isolates invocations, so the impact is increased per-request resource usage rather than full denial of service. This affects applications deployed on AWS Lambda that use the Body Limit Middleware.

AnalysisAI

Body Limit Middleware bypass in Hono (npm/hono < 4.12.25) allows unauthenticated remote clients to send payloads exceeding the configured size limit when the application is deployed on AWS Lambda. By understating the Content-Length request header, attackers exploit the Lambda adapter's trust of client-declared header values to slip oversized bodies - large JSON, multipart uploads, etc. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send HTTP POST with understated Content-Length header
Delivery
Body Limit Middleware reads declared (small) value
Exploit
Middleware passes request without reading actual payload
Execution
Lambda adapter delivers full buffered body to handler
Persist
Handler processes oversized payload
Impact
Elevated CPU and memory consumed per Lambda invocation

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the application must be deployed on AWS Lambda using one of the affected adapters - API Gateway v1/v2, ALB, VPC Lattice, or Lambda@Edge; (2) the application must use Hono's Body Limit Middleware as its mechanism for capping incoming payload size; (3) the hono package version must be below 4.12.25. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS score of 6.5 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N reflects low attack complexity and no authentication requirement, both consistent with the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a Hono application on AWS Lambda sends an HTTP POST with the header `Content-Length: 50` but a body containing several megabytes of JSON or multipart data. The Body Limit Middleware reads the declared 50-byte value, determines it is below the configured limit, and passes the request to the handler without inspecting the actual payload size. …
Remediation Upgrade the hono npm package to version 4.12.25 or later, which corrects the Body Limit Middleware to verify actual payload size rather than trusting the client-supplied Content-Length header; run `npm install hono@4.12.25` or the equivalent for your package manager. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy