Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Network vector with high complexity because exploitation requires Lambda@Edge deployment plus header-chain-dependent security middleware; low C and I reflect partial access control weakening with no availability impact.
Primary rating from Vendor (https://github.com/honojs/hono).
CVSS VectorVendor: https://github.com/honojs/hono
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 53 npm packages depend on hono (34 direct, 19 indirect)
Ecosystem-wide dependent count for version 4.12.25.
DescriptionCVE.org
Summary
On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value.
Details
A repeated request header carries an ordered list of values. The adapter iterates the list but overwrites on each step, keeping only the final value. Middleware that depends on the full list - for example IP restriction that walks the X-Forwarded-For chain, or auditing based on Forwarded/Via hops - receives incomplete data. The API Gateway adapter already appends repeated values and is not affected.
This issue arises only on Lambda@Edge deployments, for requests that contain the same header more than once.
Impact
Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This affects applications deployed on AWS Lambda@Edge that rely on multi-value request headers.
AnalysisAI
Header chain truncation in Hono's Lambda@Edge adapter silently discards all but the last value of repeated request headers, undermining IP-based access control and audit integrity for applications deployed on AWS Lambda@Edge. The adapter incorrectly uses Headers.set instead of Headers.append when converting CloudFront's multi-value header format, meaning headers such as X-Forwarded-For, Forwarded, and Via are reduced to a single entry before reaching application middleware. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following concurrent conditions: (1) the application must be deployed on AWS Lambda@Edge specifically - the API Gateway adapter is not affected; (2) the application must use Hono's Lambda@Edge adapter at a version below 4.12.25; (3) the application must include middleware that makes security-relevant decisions (access control, IP restriction, or auditing) based on the full value chain of headers such as `X-Forwarded-For`, `Forwarded`, or `Via`; (4) the attacker must be in a position to influence upstream headers so that CloudFront delivers the target header more than once in the event payload. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) scores 4.8 (Medium) and is consistent with the described vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker routes a request through multiple proxy hops to a CloudFront distribution fronting a Hono Lambda@Edge application, generating a multi-entry `X-Forwarded-For` header chain where an allowlisted IP appears earlier in the chain and the attacker's own IP appears last. Because the adapter discards all but the last value, the application's IP restriction middleware evaluates only the attacker's IP - potentially the entry most favorable to the attacker, depending on how the middleware interprets the chain - rather than the full ordered list. … |
| Remediation | Upgrade the `hono` npm package to version 4.12.25 or later, which replaces the incorrect `Headers.set` call with `Headers.append` in the Lambda@Edge adapter. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-348 – Use of Less Trusted Source
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38330
GHSA-wgpf-jwqj-8h8p