Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-exploitable with no auth required; no confidentiality impact per advisory; low integrity and low availability impact from payload size bypass and elevated resource use.
Primary rating from Vendor (https://github.com/honojs/hono).
CVSS VectorVendor: https://github.com/honojs/hono
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 53 npm packages depend on hono (34 direct, 19 indirect)
Ecosystem-wide dependent count for version 4.12.25.
DescriptionCVE.org
Summary
The Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declared Content-Length, which need not match the actual payload. A client can declare a tiny Content-Length while sending a much larger body, slipping past the limit.
Details
When Content-Length is present and Transfer-Encoding is absent, the middleware compares the declared value against the limit and passes the request through if it is small enough. On standards-based runtimes the transport enforces that Content-Length matches the body, so this is safe. The Lambda adapters instead reconstruct the request from a buffered payload and copy the client's Content-Length verbatim, so the declared length and the real body size are decoupled.
This issue affects applications deployed on AWS Lambda that rely on the Body Limit Middleware to cap request body size.
Impact
The declared body-size limit can be bypassed: a handler reads a payload larger than the configured maximum. Processing the oversized payload (large JSON, multipart, etc.) consumes additional CPU and memory per request. The payload remains bounded by the platform's request size limits, and Lambda isolates invocations, so the impact is increased per-request resource usage rather than full denial of service. This affects applications deployed on AWS Lambda that use the Body Limit Middleware.
AnalysisAI
Body Limit Middleware bypass in Hono (npm/hono < 4.12.25) allows unauthenticated remote clients to send payloads exceeding the configured size limit when the application is deployed on AWS Lambda. By understating the Content-Length request header, attackers exploit the Lambda adapter's trust of client-declared header values to slip oversized bodies - large JSON, multipart uploads, etc. - past the middleware check, forcing handlers to process payloads larger than intended and inflating per-request CPU and memory consumption. No public exploit has been identified at time of analysis; the issue is fixed in hono 4.12.25.
Technical ContextAI
Hono is a lightweight TypeScript/JavaScript web framework targeting edge and serverless environments. Its Body Limit Middleware enforces a maximum payload size by inspecting the Content-Length header: when that header is present and Transfer-Encoding is absent, the middleware short-circuits based on the declared value without reading or measuring the actual body bytes. On standards-compliant runtimes - Node.js HTTP, Deno, Bun - the transport layer guarantees that Content-Length accurately reflects body size, so this check is safe. However, the AWS Lambda adapters for API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge reconstruct the Request object from a fully buffered payload and copy the client-supplied Content-Length verbatim, decoupling the declared length from the real payload size. The root cause maps to CWE-345 (Insufficient Verification of Data Authenticity): the middleware trusts an externally-controlled header rather than measuring the actual payload it will process. Affected package is pkg:npm/hono, versions below 4.12.25.
RemediationAI
Upgrade the hono npm package to version 4.12.25 or later, which corrects the Body Limit Middleware to verify actual payload size rather than trusting the client-supplied Content-Length header; run npm install hono@4.12.25 or the equivalent for your package manager. The vendor-released patch is documented in GHSA-rv63-4mwf-qqc2 at https://github.com/honojs/hono/security/advisories/GHSA-rv63-4mwf-qqc2. If an immediate upgrade is not possible, a compensating control is to configure a WAF rule at the API Gateway or ALB layer that rejects or truncates requests whose actual content length exceeds the application's expected maximum before the request reaches Lambda; this shifts enforcement to the infrastructure layer but requires keeping the WAF limit synchronized with application changes. Alternatively, replace reliance on Body Limit Middleware with explicit body-reading and byte-counting inside the route handler, which operates on the actual buffered payload regardless of declared headers. Note that removing Body Limit Middleware without a replacement control eliminates the false protection while leaving handlers fully exposed to platform-maximum payloads.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38331
GHSA-rv63-4mwf-qqc2