Hono Web Framework Body Size Limit Bypass Vulnerability

A vulnerability in the Hono web application framework, prior to version 4.12.16, allows oversized chunked requests to bypass the body size limit enforcement. The issue arises because the bodyLimit() function does not reliably apply maximum size restrictions for requests without a valid Content-Length. As a result, oversized requests can reach the application handlers and receive a 200 response instead of the expected 413 status code for oversized requests.

Impact

This vulnerability can lead to applications processing oversized chunked requests without proper size validation, potentially causing unexpected behavior or resource exhaustion. Although per-request data exposure is limited by the maxSize setting, the framework's guarantee that oversized requests are rejected before reaching application logic is compromised.

Reproduction

To reproduce this vulnerability, send a chunked HTTP request to a Hono application with body data that exceeds the configured size limit. The request should not include a Content-Length header, allowing it to be processed as an unknown-length chunked request. If the application handler does not read the entire body or swallows read errors, the response will be 200 instead of the expected 413.

Remediation

Users should update to Hono version 4.12.16 or later, where this vulnerability has been fixed.