chore(deps): update dependency hono to v4.12.25 [security]#50
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency hono to v4.12.25 [security]#50renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
5c89450 to
c52fbf7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.12.18→4.12.25Hono: JWT middleware accepts any Authorization scheme, not only Bearer
CVE-2026-47673 / GHSA-f577-qrjj-4474
More information
Details
Summary
The
jwtandjwkmiddlewares do not verify that theAuthorizationheader value uses theBearerscheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearerscheme identifier (such asBasicorToken) is authenticated identically to a correctly formedBearerrequest.Details
When processing an
Authorization(or custom) header, the middleware splits the value on whitespace and uses the second token as the JWT to verify. It does not check that the first token isbearer(case-insensitively). RFC 6750 specifies that JWT bearer tokens must be presented using theBearerscheme; other scheme identifiers carry distinct semantics and may be subject to different policies in network-layer security controls.This discrepancy means that scheme-aware external controls — such as WAF rules, API gateways, or reverse proxies that apply policies specific to the
Bearerscheme identifier — can be bypassed by presenting a valid JWT under a different scheme name.This issue affects
hono/jwtandhono/jwkmiddleware.Impact
An attacker who possesses a valid JWT may present it under a non-
Bearerscheme identifier and still pass middleware authentication.This may lead to:
This issue affects applications where
hono/jwtorhono/jwkauthentication is combined with external controls that enforce scheme-based access policies.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
CVE-2026-47674 / GHSA-xrhx-7g5j-rcj5
More information
Details
Summary
The
ip-restrictionmiddleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped.Details
When the rule matcher is built, each configured IP rule is normalized to a canonical string form. Incoming IP addresses received at request time are then compared against those canonical strings without applying the same normalization. Because IPv6 permits multiple syntactically different representations of the same numeric address, a non-canonical form of a denied address fails the string lookup and proceeds to the CIDR check, which also finds no match for rules registered as static (no prefix length). The request is then allowed.
Affected non-canonical forms include:
2001:db8::1vs2001:db8:0:0:0:0:0:1)::ffff:7f00:1vs::ffff:127.0.0.1)fe80::1%eth0)Additionally, invalid IP address strings provided as the remote address are not rejected and may result in unexpected allow or deny behavior.
This issue arises when applications use
ipRestriction()with static (non-CIDR) rules and the IP address source can supply addresses in non-canonical IPv6 form.Impact
A request from an IP address covered by a static deny rule may bypass the restriction if the address is presented in a non-canonical IPv6 form.
This may lead to:
This issue affects applications using
hono/ip-restrictionwith static deny rules for IPv4 or IPv6 addresses, particularly when the source address is derived from proxy headers or customgetIPimplementations that may return non-canonical forms.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
CVE-2026-47676 / GHSA-2gcr-mfcq-wcc3
More information
Details
Summary
app.mount()strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path.Details
When
app.mount(prefix, subApp)is called, Hono calculates the number of characters to strip based on the decoded mount prefix length, but then applies that slice to the raw URL pathname. When the URL contains percent-encoded characters that expand to fewer characters when decoded (such as encoded non-ASCII characters), the two representations have different lengths, so the prefix is stripped at the wrong byte offset.As a result, the sub-application receives a path that does not correspond to the intended sub-path — it may receive a partial or garbled path instead of the expected value after the mount prefix is removed.
This issue arises when an application uses
app.mount()with paths that contain percent-encoded characters, particularly when the mount prefix itself or the request path contains encoded non-ASCII characters.Impact
A mounted sub-application may receive an incorrectly stripped path, causing requests to be routed to unintended handlers within the sub-application.
This may lead to:
This issue affects applications that use
app.mount()where the request URL may contain percent-encoded characters in the mount prefix or subsequent path segments.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
CVE-2026-47675 / GHSA-3hrh-pfw6-9m5x
More information
Details
Summary
The
serialize()function inhono/cookievalidatesdomainandpathoptions against characters that corruptSet-Cookieheader syntax (;,\r,\n), but does not apply the same validation tosameSiteandpriority. An application that passes user-controlled input into either option may produce aSet-Cookieresponse header containing attacker-chosen additional attributes.Details
When constructing a
Set-Cookieheader value,serialize()appends thesameSiteandpriorityoption values directly into the output string after a presentation-only transformation (capitalizing the first character). Although the TypeScript type signature constrains these options to specific string literals, that constraint is not enforced at runtime; any string value, including one containing;or line-feed characters, passes through unchanged.The validation guard that rejects
;,\r, and\nfromdomainandpathis not applied tosameSiteorpriority. An application that passes a request-derived value to either option therefore provides an injection point into the header line.This issue arises when an application passes user-controlled input to the
sameSiteorpriorityoption ofsetCookie()orserialize().Impact
An attacker who can control the
sameSiteorpriorityoption value may inject additional attributes into aSet-Cookieresponse header.This may lead to:
Domain,Path,HttpOnly,Secure, orMax-Agefor the affected cookieSet-Cookieheader in the same responseThis issue affects applications that pass user-derived input into the
sameSiteorpriorityoption ofhono/cookieserialization functions.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono: Path traversal in
serve-staticon Windows via encoded backslash (%5C)CVE-2026-54286 / GHSA-wwfh-h76j-fc44
More information
Details
Summary
On Windows hosts, an encoded backslash (
%5C) in the request path decodes to\, which the Windows path resolver treats as a separator.serve-staticthen resolves a single URL segment such asadmin\secret.txtinto a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. Directory escape (..) remains blocked.Details
The router splits paths only on
/, so/admin%5Csecret.txtis one segment and middleware on/admin/*does not run. Theserve-staticguard rejects./..and consecutive separators but lets a lone\through; on Windows the file resolver re-splits it into the protected subtree.This affects Windows hosts serving static files via the Node, Bun, or Deno adapters that guard a static subtree with prefix-mounted middleware.
Impact
An unauthenticated attacker can read static files under a middleware-guarded prefix on Windows hosts. The read stays within the configured root; escape outside the root is not possible.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono: AWS Lambda adapter merges multiple
Set-Cookieheaders into one value, dropping cookies on ALB single-header and LatticeCVE-2026-54287 / GHSA-j6c9-x7qj-28xf
More information
Details
Summary
On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple
Set-Cookieheaders into one comma-separated value. Because commas also appear inside cookie attributes (for exampleExpiresdates), clients cannot split the value back into individual cookies and silently drop or misparse them.Details
Per RFC 6265, each cookie must be its own
Set-Cookieheader line, and commas may appear inside attribute values. Joining cookies with", "collides with those commas, producing a value that clients cannot reliably split. Only ALB single-header mode and VPC Lattice v2 are affected; API Gateway v1/v2 and ALB with multi-value headers enabled already use an array and are unaffected.Impact
A client may receive only one of the cookies, a malformed cookie, or none. Session, CSRF, or preference cookies can silently fail to apply, breaking sessions or forcing re-authentication. This affects applications that set multiple cookies per response and run on AWS Lambda behind an ALB in single-header mode (the default) or VPC Lattice v2.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono: CORS Middleware reflects any Origin with credentials when
origindefaults to the wildcardCVE-2026-54290 / GHSA-88fw-hqm2-52qc
More information
Details
Summary
With
credentials: trueand no explicitorigin(the default wildcard), the CORS Middleware reflects the request'sOriginand sendsAccess-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins.Details
The spec forbids
Access-Control-Allow-Origin: *with credentials and browsers reject it, so this configuration used to fail closed. In affected versions the middleware reflects the requestOrigininstead, so it now succeeds for every origin, includingnull. The preflight also echoes the requested headers back, approving non-simple credentialed requests too.This issue arises when an application enables
credentials: trueand leavesoriginunset or set to the wildcard.Impact
Any third-party page a logged-in user visits can read the application's cookie-authenticated endpoints and perform credentialed state-changing requests. This affects applications that enable credentialed CORS without restricting
origin.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
CVE-2026-54289 / GHSA-wgpf-jwqj-8h8p
More information
Details
Summary
On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with
Headers.setinstead ofHeaders.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such asX-Forwarded-For,Forwarded, andViaare silently truncated to a single value.Details
A repeated request header carries an ordered list of values. The adapter iterates the list but overwrites on each step, keeping only the final value. Middleware that depends on the full list — for example IP restriction that walks the
X-Forwarded-Forchain, or auditing based onForwarded/Viahops — receives incomplete data. The API Gateway adapter already appends repeated values and is not affected.This issue arises only on Lambda@Edge deployments, for requests that contain the same header more than once.
Impact
Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the
X-Forwarded-Forchain, this can weaken or alter that decision; for auditing, hop history is lost. This affects applications deployed on AWS Lambda@Edge that rely on multi-value request headers.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating
Content-LengthCVE-2026-54288 / GHSA-rv63-4mwf-qqc2
More information
Details
Summary
The Body Limit Middleware trusts the request's
Content-Lengthheader to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declaredContent-Length, which need not match the actual payload. A client can declare a tinyContent-Lengthwhile sending a much larger body, slipping past the limit.Details
When
Content-Lengthis present andTransfer-Encodingis absent, the middleware compares the declared value against the limit and passes the request through if it is small enough. On standards-based runtimes the transport enforces thatContent-Lengthmatches the body, so this is safe. The Lambda adapters instead reconstruct the request from a buffered payload and copy the client'sContent-Lengthverbatim, so the declared length and the real body size are decoupled.This issue affects applications deployed on AWS Lambda that rely on the Body Limit Middleware to cap request body size.
Impact
The declared body-size limit can be bypassed: a handler reads a payload larger than the configured maximum. Processing the oversized payload (large JSON, multipart, etc.) consumes additional CPU and memory per request. The payload remains bounded by the platform's request size limits, and Lambda isolates invocations, so the impact is increased per-request resource usage rather than full denial of service. This affects applications deployed on AWS Lambda that use the Body Limit Middleware.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
CVE-2026-47676 / GHSA-2gcr-mfcq-wcc3
More information
Details
Summary
app.mount()strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path.Details
When
app.mount(prefix, subApp)is called, Hono calculates the number of characters to strip based on the decoded mount prefix length, but then applies that slice to the raw URL pathname. When the URL contains percent-encoded characters that expand to fewer characters when decoded (such as encoded non-ASCII characters), the two representations have different lengths, so the prefix is stripped at the wrong byte offset.As a result, the sub-application receives a path that does not correspond to the intended sub-path — it may receive a partial or garbled path instead of the expected value after the mount prefix is removed.
This issue arises when an application uses
app.mount()with paths that contain percent-encoded characters, particularly when the mount prefix itself or the request path contains encoded non-ASCII characters.Impact
A mounted sub-application may receive an incorrectly stripped path, causing requests to be routed to unintended handlers within the sub-application.
This may lead to:
This issue affects applications that use
app.mount()where the request URL may contain percent-encoded characters in the mount prefix or subsequent path segments.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
CVE-2026-47675 / GHSA-3hrh-pfw6-9m5x
More information
Details
Summary
The
serialize()function inhono/cookievalidatesdomainandpathoptions against characters that corruptSet-Cookieheader syntax (;,\r,\n), but does not apply the same validation tosameSiteandpriority. An application that passes user-controlled input into either option may produce aSet-Cookieresponse header containing attacker-chosen additional attributes.Details
When constructing a
Set-Cookieheader value,serialize()appends thesameSiteandpriorityoption values directly into the output string after a presentation-only transformation (capitalizing the first character). Although the TypeScript type signature constrains these options to specific string literals, that constraint is not enforced at runtime; any string value, including one containing;or line-feed characters, passes through unchanged.The validation guard that rejects
;,\r, and\nfromdomainandpathis not applied tosameSiteorpriority. An application that passes a request-derived value to either option therefore provides an injection point into the header line.This issue arises when an application passes user-controlled input to the
sameSiteorpriorityoption ofsetCookie()orserialize().Impact
An attacker who can control the
sameSiteorpriorityoption value may inject additional attributes into aSet-Cookieresponse header.This may lead to:
Domain,Path,HttpOnly,Secure, orMax-Agefor the affected cookieSet-Cookieheader in the same responseThis issue affects applications that pass user-derived input into the
sameSiteorpriorityoption ofhono/cookieserialization functions.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
CVE-2026-47673 / GHSA-f577-qrjj-4474
More information
Details
Summary
The
jwtandjwkmiddlewares do not verify that theAuthorizationheader value uses theBearerscheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearerscheme identifier (such asBasicorToken) is authenticated identically to a correctly formedBearerrequest.Details
When processing an
Authorization(or custom) header, the middleware splits the value on whitespace and uses the second token as the JWT to verify. It does not check that the first token isbearer(case-insensitively). RFC 6750 specifies that JWT bearer tokens must be presented using theBearerscheme; other scheme identifiers carry distinct semantics and may be subject to different policies in network-layer security controls.This discrepancy means that scheme-aware external controls — such as WAF rules, API gateways, or reverse proxies that apply policies specific to the
Bearerscheme identifier — can be bypassed by presenting a valid JWT under a different scheme name.This issue affects
hono/jwtandhono/jwkmiddleware.Impact
An attacker who possesses a valid JWT may present it under a non-
Bearerscheme identifier and still pass middleware authentication.This may lead to:
This issue affects applications where
hono/jwtorhono/jwkauthentication is combined with external controls that enforce scheme-based access policies.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
CVE-2026-47674 / GHSA-xrhx-7g5j-rcj5
More information
Details
Summary
The
ip-restrictionmiddleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped.Details
When the rule matcher is built, each configured IP rule is normalized to a canonical string form. Incoming IP addresses received at request time are then compared against those canonical strings without applying the same normalization. Because IPv6 permits multiple syntactically different representations of the same numeric address, a non-canonical form of a denied address fails the string lookup and proceeds to the CIDR check, which also finds no match for rules registered as static (no prefix length). The request is then allowed.
Affected non-canonical forms include:
2001:db8::1vs2001:db8:0:0:0:0:0:1)::ffff:7f00:1vs::ffff:127.0.0.1)fe80::1%eth0)Additionally, invalid IP address strings provided as the remote address are not rejected and may result in unexpected allow or deny behavior.
This issue arises when applications use
ipRestriction()with static (non-CIDR) rules and the IP address source can supply addresses in non-canonical IPv6 form.Impact
A request from an IP address covered by a static deny rule may bypass the restriction if the address is presented in a non-canonical IPv6 form.
This may lead to:
This issue affects applications using
hono/ip-restrictionwith static deny rules for IPv4 or IPv6 addresses, particularly when the source address is derived from proxy headers or customgetIPimplementations that may return non-canonical forms.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
hono: CORS Middleware reflects any Origin with credentials when
origindefaults to the wildcardCVE-2026-54290 / GHSA-88fw-hqm2-52qc
More information
Details
Summary
With
credentials: trueand no explicitorigin(the default wildcard), the CORS Middleware reflects the request'sOriginand sendsAccess-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins.Details
The spec forbids
Access-Control-Allow-Origin: *with credentials and browsers reject it, so this configuration used to fail closed. In affected versions the middleware reflects the requestOrigininstead, so it now succeeds for every origin, includingnull. The preflight also echoes the requested headers back, approving non-simple credentialed requests too.This issue arises when an application enables
credentials: trueand leavesoriginunset or set to the wildcard.Impact
Any third-party page a logged-in user visits can read the application's cookie-authenticated endpoints and perform credentialed state-changing requests. This affects applications that enable credentialed CORS without restricting
origin.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
hono: AWS Lambda adapter merges multiple
Set-Cookieheaders into one value, dropping cookies on ALB single-header and LatticeCVE-2026-54287 / GHSA-j6c9-x7qj-28xf
More information
Details
Summary
On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple
Set-Cookieheaders into one comma-separated value. Because commas also appear inside cookie attributes (for exampleExpiresdates), clients cannot split the value back into individual cookies and silently drop or misparse them.Details
Per RFC 6265, each cookie must be its own
Set-Cookieheader line, and commas may appear inside attribute values. Joining cookies with", "collides with those commas, producing a value that clients cannot reliably split. Only ALB single-header mode and VPC Lattice v2 are affected; API Gateway v1/v2 and ALB with multi-value headers enabled already use an array and are unaffected.Impact
A client may receive only one of the cookies, a malformed cookie, or none. Session, CSRF, or preference cookies can silently fail to apply, breaking sessions or forcing re-authentication. This affects applications that set multiple cookies per response and run on AWS Lambda behind an ALB in single-header mode (the default) or VPC Lattice v2.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating
Content-LengthCVE-2026-54288 / GHSA-rv63-4mwf-qqc2
More information
Details
Summary
The Body Limit Middleware trusts the request's
Content-Lengthheader to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declaredContent-Length, which need not match the actual payload. A client can declare a tinyContent-Lengthwhile sending a much larger body, slipping past the limit.Details
When
Content-Lengthis present andTransfer-Encodingis absent, the middleware compares the declared value against the limit and passes the request through if it is small enough. On standards-based runtimes the transport enforces thatContent-Lengthmatches the body, so this is safe. The Lambda adapters instead reconstruct the request from a buffered payload and copy the client'sContent-Lengthverbatim, so the declared length and the real body size are decoupled.This issue affects applications deployed on AWS Lambda that rely on the Body Limit Middleware to cap request body size.
Impact
The declared body-size limit can be bypassed: a handler reads a payload larger than the configured maximum. Processing the oversized payload (large JSON, multipart, etc.) consumes additional CPU and memory per request. The payload remains bounded by the platform's request size limits, and Lambda isolates invocations, so the impact is increased per-request resource usage rather than full denial of service. This affects applications deployed on AWS Lambda that use the Body Limit Middleware.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
CVE-2026-54289 / GHSA-wgpf-jwqj-8h8p
More information
Details
Summary
On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with
Headers.setinstead ofHeaders.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such asX-Forwarded-For,Forwarded, andViaare silently truncated to a single value.Details
A repeated request header carries an ordered list of values. The adapter iterates the list but overwrites on each step, keeping only the final value. Middleware that depends on the full list — for example IP restriction that walks the
X-Forwarded-Forchain, or auditing based onForwarded/Viahops — receives incomplete data. The API Gateway adapter already appends repeated values and is not affected.This issue arises only on Lambda@Edge deployments, for requests that contain the same header more than once.
Impact
Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the
X-Forwarded-Forchain, this can weaken or alter that decision; for auditing, hop history is lost. This affects applications deployed on AWS Lambda@Edge that rely on multi-value request headers.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
hono: Path traversal in
serve-staticon Windows via encoded backslash (%5C)CVE-2026-54286 / GHSA-wwfh-h76j-fc44
More information
Details
Summary
On Windows hosts, an encoded backslash (
%5C) in the request path decodes to\, which the Windows path resolver treats as a separator.serve-staticthen resolves a single URL segment such asadmin\secret.txtinto a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. Directory escape (..) remains blocked.Details
The router splits paths only on
/, so/admin%5Csecret.txtis one segment and middleware on/admin/*does not run. Theserve-staticguard rejects./..and consecutive separators but lets a lone\through; on Windows the file resolver re-splits it into the protected subtree.This affects Windows hosts serving static files via the Node, Bun, or Deno adapters that guard a static subtree with prefix-mounted middleware.
Impact
An unauthenticated attacker can read static files under a middleware-guarded prefix on Windows hosts. The read stays within the configured root; escape outside the root is not possible.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
honojs/hono (hono)
v4.12.25Compare Source
Security fixes
This release includes fixes for the following security issues:
CORS Middleware reflects any Origin with credentials when
origindefaults to the wildcardAffects:
hono/cors. Fixes the wildcard origin reflecting the requestOriginand sendingAccess-Control-Allow-Credentials: truewhencredentials: trueis set without an explicitorigin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qcBody Limit Middleware can be bypassed on AWS Lambda by understating
Content-LengthAffects:
hono/body-limiton AWS Lambda (hono/aws-lambda,hono/lambda-edge). Fixes the request being built with the client-declaredContent-Lengthwhile the body is delivered fully buffered, where a client could declare a smallContent-Lengthwith a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2Path traversal in
serve-staticon Windows via encoded backslash (%5C)Affects:
serveStaticon Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to\was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44AWS Lambda adapter merges multiple
Set-Cookieheaders into one value, dropping cookies on ALB single-header and LatticeAffects:
hono/aws-lambda. Fixes multipleSet-Cookieresponse headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xfLambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
Affects:
hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such asX-Forwarded-Forreached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8pv4.12.24Compare Source
What's Changed
Full Changelog: honojs/hono@v4.12.23...v4.12.24
v4.12.23Compare Source
What's Changed
COMPRESSIBLE_CONTENT_TYPE_REGEXre-export by @na-trium-144 in #4961::by @yusukebe in #4971Full Changelog: honojs/hono@v4.12.22...v4.12.23
v4.12.22Compare Source
What's Changed
New Contributors
Full Changelog: honojs/hono@v4.12.21...v4.12.22
v4.12.21Compare Source
Security fixes
This release includes fixes for the following security issues:
app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Affects:
app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3IP Restriction bypasses static deny rules for non-canonical IPv6
Affects:
hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
Affects:
hono/cookie. Fixes missing validation ofsameSiteandpriorityoptions against injection characters (;,\r,\n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie rConfiguration
📅 Schedule: (in timezone Europe/Copenhagen)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.