Skip to main content

Hono Framework CVE-2026-59897

| EUVDEUVD-2026-42325 MEDIUM
Use of Less Trusted Source (CWE-348)
2026-07-08 GitHub_M
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
MEDIUM
qualitative
NVD
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.8 MEDIUM

Network-reachable via API Gateway (AV:N) but requires crafted substring-overlapping header values and v1 adapter deployment (AC:H); no auth needed; limited C/I via security-control bypass; no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 10, 2026 - 19:52 NVD
4.8 (MEDIUM) 5.3 (MEDIUM)
Patch available
Jul 08, 2026 - 18:02 EUVD
Analysis Generated
Jul 08, 2026 - 17:13 vuln.today

DescriptionNVD

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware or application logic that depends on the complete X-Forwarded-For chain, rate limiting, audit logging, or proxy-chain validation can receive incomplete data. This issue is fixed in version 4.12.27.

AnalysisAI

Header de-duplication logic in Hono's AWS API Gateway v1 adapter silently drops distinct repeated header values because it uses substring comparison rather than exact string equality, meaning a value like '10.0.0.1' would incorrectly suppress '10.0.0.10'. Middleware or application logic relying on a complete X-Forwarded-For chain, rate limiting counters, audit trail integrity, or proxy-chain trust validation receives a truncated view of the request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target using Hono AWS API Gateway v1 adapter
Delivery
Craft request with overlapping X-Forwarded-For values triggering substring match
Exploit
Adapter drops distinct header entry during de-duplication
Execution
Security middleware receives truncated header chain
Impact
IP-based rate limit or blocklist control bypassed

Vulnerability AssessmentAI

Exploitation Exploitation requires that the application is deployed on AWS Lambda behind an AWS API Gateway v1 (REST API) endpoint - not API Gateway v2 (HTTP API). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) accurately reflects a medium-severity, network-accessible issue with elevated attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP request through an AWS API Gateway v1 endpoint with X-Forwarded-For values engineered so that one IP address is a substring of another (for example, '192.168.1.1' alongside '192.168.1.10'). The Hono adapter's substring de-duplication silently drops one entry, causing an upstream rate-limiting middleware to see a shorter chain and potentially misidentify the originating IP, allowing the attacker to exceed rate limits or evade IP-based blocklisting. …
Remediation Vendor-released patch: v4.12.27. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Hono

View all
CVE-2024-48913 MEDIUM POC
5.9 Oct 15

Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by

CVE-2024-32869 MEDIUM POC
5.3 Apr 23

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),

CVE-2024-43787 MEDIUM POC
5.0 Aug 22

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),

CVE-2023-50710 MEDIUM POC
4.3 Dec 14

Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita

CVE-2026-27700 HIGH
8.2 Feb 25

Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]

CVE-2026-22818 HIGH
8.2 Jan 13

Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS

CVE-2026-22817 HIGH
8.2 Jan 13

Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that

CVE-2026-29045 HIGH
7.5 Mar 04

Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew

CVE-2020-27217 HIGH
7.5 Nov 13

In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro

CVE-2025-71381 MEDIUM
6.9 Jun 30

Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh

CVE-2026-56762 MEDIUM
6.9 Jun 23

Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all

CVE-2026-59896 MEDIUM
6.5 Jul 08

Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per

Share

CVE-2026-59897 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy