Volerion logoVolerion
Volerion logoVolerion

Hono Web Framework Body Limit Middleware Bypass Vulnerability

Vulnerability

A vulnerability exists in the Hono web application framework, specifically in versions through 4.9.6, within the 'bodyLimit' middleware. This flaw can lead to bypassing the set request body size limit when conflicting HTTP headers are present. The middleware previously gave priority to the 'Content-Length' header, even when 'Transfer-Encoding: chunked' was also included. According to HTTP specifications, 'Content-Length' should be disregarded in such scenarios. As a result, oversized request bodies could evade the configured limits. The actual impact of this vulnerability varies depending on the runtime and deployment environment, as most standards-compliant runtimes and reverse proxies would reject such malformed requests with a '400 Bad Request' response. However, if body size limits are relied upon to guard against large or malicious requests, this vulnerability could allow the sending of oversized request bodies, potentially leading to a denial-of-service condition by causing excessive memory or CPU usage when processing very large requests.

Impact

Exploitation of this vulnerability allows for bypassing request body size limits, potentially leading to denial-of-service conditions. This is caused by excessive memory or CPU consumption when handling large requests that have bypassed the configured limits.

Reproduction

The vulnerability can be reproduced by sending a chunked HTTP request that includes a 'Transfer-Encoding: chunked' header and a 'Content-Length' header. The 'Content-Length' header should indicate a smaller size than the actual length of the chunked content. The Hono application should be running a version prior to 4.9.7, with the 'bodyLimit' middleware configured to enforce a maximum body size. When the request is processed, the server should incorrectly allow the oversized body by prioritizing the 'Content-Length' header, in violation of the HTTP specification.

Remediation

Users are advised to upgrade to Hono version 4.9.7, where this vulnerability has been fixed.

Added: Sep 12, 2025, 2:18 PM
Updated: Sep 12, 2025, 2:18 PM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
3.1
exploitability
9.3
remediation
7.7
relevance
0.5
threat
4.8
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.