Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable via API Gateway (AV:N) but requires crafted substring-overlapping header values and v1 adapter deployment (AC:H); no auth needed; limited C/I via security-control bypass; no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware or application logic that depends on the complete X-Forwarded-For chain, rate limiting, audit logging, or proxy-chain validation can receive incomplete data. This issue is fixed in version 4.12.27.
AnalysisAI
Header de-duplication logic in Hono's AWS API Gateway v1 adapter silently drops distinct repeated header values because it uses substring comparison rather than exact string equality, meaning a value like '10.0.0.1' would incorrectly suppress '10.0.0.10'. Middleware or application logic relying on a complete X-Forwarded-For chain, rate limiting counters, audit trail integrity, or proxy-chain trust validation receives a truncated view of the request. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the application is deployed on AWS Lambda behind an AWS API Gateway v1 (REST API) endpoint - not API Gateway v2 (HTTP API). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) accurately reflects a medium-severity, network-accessible issue with elevated attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a crafted HTTP request through an AWS API Gateway v1 endpoint with X-Forwarded-For values engineered so that one IP address is a substring of another (for example, '192.168.1.1' alongside '192.168.1.10'). The Hono adapter's substring de-duplication silently drops one entry, causing an upstream rate-limiting middleware to see a shorter chain and potentially misidentify the originating IP, allowing the attacker to exceed rate limits or evade IP-based blocklisting. … |
| Remediation | Vendor-released patch: v4.12.27. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),
Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita
Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]
Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS
Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro
Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh
Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all
Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per
Same weakness CWE-348 – Use of Less Trusted Source
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42325