Lucene search
K

63 matches found

NVD
NVD
added 2026/06/23 1:16 p.m.9 views

CVE-2026-54892

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decodeeach/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...

8.7CVSS0.00707EPSS
Exploits0References8
NVD
NVD
added 2026/06/22 7:17 p.m.9 views

CVE-2026-54288

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge the body is...

6.5CVSS0.00103EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 5:18 p.m.30 views

CVE-2026-54288 Hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge the body is...

6.5CVSS0.00103EPSS
Exploits0References1
CVE
CVE
added 2026/06/22 5:18 p.m.24 views

CVE-2026-54288

The CVE-2026-54288 issue affects the Hono Web framework prior to version 4.12.25, where the Body Limit Middleware trusts the request Content-Length header. On AWS Lambda environments (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge), the body is fully buffered and the adapter builds the requ...

6.5CVSS5.8AI score0.00103EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/16 2:32 p.m.11 views

hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Summary The Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge the body is delivered fully buffered and the adapter builds the request with the client-declared...

6.5CVSS5.4AI score0.00103EPSS
Exploits0References2Affected Software1
Patchstack
Patchstack
added 2026/06/16 2:32 p.m.4 views

NPM: hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

NPM: hono: Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length vulnerability discovered by ? in WordPress Npm hono versions 4.12.25...

6.5CVSS5.8AI score0.00103EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/16 2:32 p.m.9 views

Insufficient Verification of Data Authenticity

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the Body Limit Middleware. An attacker can cause the application to process payloads larger than the configured maximum by understating t...

6.9CVSS5.9AI score0.00103EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.14 views

PT-2026-49735

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.25 Description The Body Limit Middleware trusts the Content-Length header to determine if a request body is within the allowed limit. In environments such as AWS Lambda including API Gateway v1/v2, ALB, VPC Lattice,...

6.5CVSS5.8AI score0.00103EPSS
Exploits0References4
NVD
NVD
added 2026/05/13 4:16 p.m.20 views

CVE-2026-44456

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit does not reliably enforce maxSize for requests without a usable Content-Length e.g. Transfer-Encoding: chunked. Oversized requests can reach handlers and return 200 instead of 413. Th...

6.5CVSS0.00219EPSS
Exploits0References1
CVE
CVE
added 2026/05/13 2:58 p.m.15 views

CVE-2026-44456

CVE-2026-44456 affects hono; prior to version 4.12.16, bodyLimit() may fail to enforce maxSize for requests without Content-Length (e.g., Transfer-Encoding: chunked), allowing oversized requests to reach handlers and potentially return 200 instead of 413. The issue is resolved in 4.12.16. Affecte...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 2:58 p.m.7 views

CVE-2026-44456

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit does not reliably enforce maxSize for requests without a usable Content-Length e.g. Transfer-Encoding: chunked. Oversized requests can reach handlers and return 200 instead of 413. Th...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.13 views

PT-2026-39242

Name of the Vulnerable Software and Affected Versions Volcano versions prior to 1.14.2 Volcano versions prior to 1.13.3 Volcano versions prior to 1.12.4 Description The Volcano webhook server fails to enforce a size limit on incoming HTTP request bodies. This allows any in-cluster pod capable of...

7.4CVSS5.8AI score0.00173EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/05/06 11:50 p.m.10 views

NPM: Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

NPM: Hono: bodyLimit can be bypassed for chunked / unknown-length requests vulnerability discovered by ? in WordPress Npm hono versions 4.12.16...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:50 p.m.26 views

Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

Summary bodyLimit does not reliably enforce maxSize for requests without a usable Content-Length e.g. Transfer-Encoding: chunked. Oversized requests can reach handlers and return 200 instead of 413. Details For chunked / unknown-length requests, bodyLimit wraps the body in a stream that counts...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/06 11:50 p.m.5 views

GHSA-9VQF-7F2P-GF9V Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

Summary bodyLimit does not reliably enforce maxSize for requests without a usable Content-Length e.g. Transfer-Encoding: chunked. Oversized requests can reach handlers and return 200 instead of 413. Details For chunked / unknown-length requests, bodyLimit wraps the body in a stream that counts...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/06 11:50 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the bodyLimit function. An attacker can bypass request size restrictions by sending chunked or unknown-length requests, allowing...

8.7CVSS5.8AI score0.00219EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.12 views

PT-2026-38319

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.16 Description The bodyLimit function does not reliably enforce the maxSize parameter for requests that lack a usable Content-Length, such as those using Transfer-Encoding: chunked. For these requests, the function...

6.5CVSS5.9AI score0.00219EPSS
Exploits0References170
NVD
NVD
added 2026/03/27 7:16 p.m.5 views

CVE-2026-26061

Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive...

8.7CVSS0.00434EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/27 12:0 a.m.2 views

PT-2026-28347

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0 Description Fleet, an open source device management software, has multiple unauthenticated HTTP endpoints that do not enforce a size limit when reading request bodies. An unauthenticated attacker can exploit this...

8.7CVSS5.9AI score0.00619EPSS
Exploits1References45
EUVD
EUVD
added 2026/02/25 10:33 p.m.9 views

EUVD-2026-7451

Astro has memory exhaustion DoS due to missing request body size limit in Server Actions...

7.5CVSS5.3AI score0.00415EPSS
Exploits1References6
Rows per page
Query Builder