Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declared Content-Length, which need not match the actual payload. A client can declare a tiny Content-Length while sending a much larger body, slipping past the limit. This vulnerability is fixed in 4.12.25.
Severity (CVSS)
| Base score | 6.5 |
|---|---|
| Severity | Medium |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| Provided by | CNA |
Weaknesses
- CWE-345 — CWE-345: Insufficient Verification of Data Authenticity
Affected products
| Vendor | Product | Versions |
|---|---|---|
| honojs | hono | < 4.12.25 |
References
- https://github.com/honojs/hono/security/advisories/GHSA-rv63-4mwf-qqc2 (x_refsource_CONFIRM)
Generated from the official CVE List on 23 Jun 2026 10:05 UTC.