Lucene search

Veracode Vulnerability DatabaseVERACODE:48526

HistoryAug 23, 2024 - 7:26 a.m.

Cross-Site Request Forgery (CSRF)

2024-08-2307:26:33

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site request forgery

csrf

hono

vulnerability

middleware

mime type

bypassing protection

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

6.7

Confidence

Low

JSON

Hono is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability is due to the CSRF middleware’s case sensitivity in MIME type matching, which allows bypassing protection with upper-case MIME types.

References

github.com/advisories/GHSA-rpfr-3m35-5vx5

github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17

github.com/honojs/hono/commit/41ce840379516410dee60c783142e05bb5a22449

github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5