Skip to main content

Hono CVE-2026-54289

| EUVDEUVD-2026-38330 MEDIUM
Use of Less Trusted Source (CWE-348)
2026-06-16 https://github.com/honojs/hono GHSA-wgpf-jwqj-8h8p
4.8
CVSS 3.1 · Vendor: https://github.com/honojs/hono
Share

Severity by source

Vendor (https://github.com/honojs/hono) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

Network vector with high complexity because exploitation requires Lambda@Edge deployment plus header-chain-dependent security middleware; low C and I reflect partial access control weakening with no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/honojs/hono).

CVSS VectorVendor: https://github.com/honojs/hono

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 15:21 vuln.today
Analysis Generated
Jun 16, 2026 - 15:21 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 53 npm packages depend on hono (34 direct, 19 indirect)

Ecosystem-wide dependent count for version 4.12.25.

DescriptionCVE.org

Summary

On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value.

Details

A repeated request header carries an ordered list of values. The adapter iterates the list but overwrites on each step, keeping only the final value. Middleware that depends on the full list - for example IP restriction that walks the X-Forwarded-For chain, or auditing based on Forwarded/Via hops - receives incomplete data. The API Gateway adapter already appends repeated values and is not affected.

This issue arises only on Lambda@Edge deployments, for requests that contain the same header more than once.

Impact

Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This affects applications deployed on AWS Lambda@Edge that rely on multi-value request headers.

AnalysisAI

Header chain truncation in Hono's Lambda@Edge adapter silently discards all but the last value of repeated request headers, undermining IP-based access control and audit integrity for applications deployed on AWS Lambda@Edge. The adapter incorrectly uses Headers.set instead of Headers.append when converting CloudFront's multi-value header format, meaning headers such as X-Forwarded-For, Forwarded, and Via are reduced to a single entry before reaching application middleware. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft request with multi-entry X-Forwarded-For header
Delivery
Route through CloudFront to Lambda@Edge
Exploit
Hono adapter overwrites header values using set()
Execution
Application receives only final header value
Persist
IP restriction middleware evaluates incomplete chain
Impact
Access control decision weakened or bypassed

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following concurrent conditions: (1) the application must be deployed on AWS Lambda@Edge specifically - the API Gateway adapter is not affected; (2) the application must use Hono's Lambda@Edge adapter at a version below 4.12.25; (3) the application must include middleware that makes security-relevant decisions (access control, IP restriction, or auditing) based on the full value chain of headers such as `X-Forwarded-For`, `Forwarded`, or `Via`; (4) the attacker must be in a position to influence upstream headers so that CloudFront delivers the target header more than once in the event payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) scores 4.8 (Medium) and is consistent with the described vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker routes a request through multiple proxy hops to a CloudFront distribution fronting a Hono Lambda@Edge application, generating a multi-entry `X-Forwarded-For` header chain where an allowlisted IP appears earlier in the chain and the attacker's own IP appears last. Because the adapter discards all but the last value, the application's IP restriction middleware evaluates only the attacker's IP - potentially the entry most favorable to the attacker, depending on how the middleware interprets the chain - rather than the full ordered list. …
Remediation Upgrade the `hono` npm package to version 4.12.25 or later, which replaces the incorrect `Headers.set` call with `Headers.append` in the Lambda@Edge adapter. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy