238 matches found
CVE-2025-59139 Hono has Body Limit Middleware Bypass
Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. The middleware previously prioritized the...
CVE-2025-59139
CVE-2025-59139 affects the Hono web framework (pre-4.9.7). A flaw in the bodyLimit middleware allowed bypassing the configured request body size limit when conflicting headers were present, because Content-Length could be prioritized over Transfer-Encoding: chunked. The HTTP spec requires Transfe...
CVE-2025-59139 Hono has Body Limit Middleware Bypass
Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. The middleware previously prioritized the...
Hono 安全漏洞
Hono is a web framework written in TypeScript from the Hono community. A security vulnerability exists in Hono versions prior to 4.9.7, which stems from the bodyLimit middleware prioritizing the Content-Length header when handling conflicting HTTP headers, which could lead to a denial of service...
CVE-2025-58362
Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs e.g. Nginx location blocks. The original implementation relie...
CVE-2025-58362
Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs e.g. Nginx location blocks. The original implementation relie...
Hono 安全漏洞
Hono is a web framework written in TypeScript from the Hono community. A security vulnerability exists in Hono 4.9.5 and earlier versions, which stems from an error in the path resolution of the getPath function and could lead to bypassing proxy ACLs...
CVE-2025-58362 Hono contains a flaw in URL path parsing, potentially leading to path confusion
Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs e.g. Nginx location blocks. The original implementation relie...
CVE-2025-58362 Hono contains a flaw in URL path parsing, potentially leading to path confusion
Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs e.g. Nginx location blocks. The original implementation relie...
Use of Incorrectly-Resolved Name or Reference
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference via the getPath function in the utils/url.ts file. An attacker can gain unauthorized access to protected endpoints by sending specially craft...
CVE-2024-48913
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery CSRF middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe. Th...
CVE-2024-43787
Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware...
CVE-2023-50710
Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources...
GHSA-2234-FMW7-43WR Hono allows bypass of CSRF Middleware by a request without Content-Type header.
Summary Bypass CSRF Middleware by a request without Content-Type herader. Details Although the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe...
Hono 跨站请求伪造漏洞
Hono is a web framework written in TypeScript from the Hono community. A cross-site request forgery vulnerability exists in Hono prior to version 4.6.5, which stems from a lack of cross-site request forgery checks...
Hono 安全漏洞
Hono is a web framework written in TypeScript from the Hono community. A security vulnerability exists in Hono versions prior to 4.5.8, which stems from the ability to bypass CSRF middleware using a specially crafted Content-Type header...
GHSA-3MPF-RCC7-5347 Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Summary When using serveStatic with deno, it is possible to directory traverse where main.ts is located. My environment is configured as per this tutorial https://hono.dev/getting-started/deno PoC bash $ tree . ├── deno.json ├── deno.lock ├── main.ts ├── README.md └── static └── a.txt source jsx...
Hono 安全漏洞
Hono is a web framework written in TypeScript from the Hono community. A security vulnerability exists in Hono versions prior to 4.2.7, which stems from using serveStatic with deno to traverse the directory where main.ts is located, potentially retrieving unexpected files...