CVE-2025-59139 is a medium-severity vulnerability affecting versions of the Hono web application framework prior to 4.9.7. Hono is a JavaScript framework designed to support any JavaScript runtime environment. The vulnerability arises from improper handling of HTTP request headers in the `bodyLimit` middleware, which is responsible for enforcing limits on the size of incoming request bodies. Specifically, the middleware incorrectly prioritizes the `Content-Length` header over the `Transfer-Encoding: chunked` header when both are present in a request. According to the HTTP specification, when `Transfer-Encoding: chunked` is present, the `Content-Length` header must be ignored. However, the flawed implementation in Hono allowed attackers to bypass the configured request body size limit by sending requests with conflicting headers, causing the middleware to trust the `Content-Length` value and accept oversized request bodies. This can lead to uncontrolled resource consumption (CWE-400), as the server may allocate excessive memory or CPU resources to process these large requests, potentially resulting in denial of service (DoS). The practical impact of this vulnerability depends heavily on the runtime environment and deployment setup; many standards-compliant runtimes and reverse proxies reject such malformed requests with a 400 Bad Request response, mitigating the risk. Nonetheless, in environments where such requests are accepted, attackers can exploit this flaw to overwhelm server resources. The issue has been addressed in Hono version 4.9.7 by updating the middleware to comply with the HTTP specification, ensuring `Transfer-Encoding` takes precedence over `Content-Length`. Users of affected versions are strongly advised to upgrade immediately to mitigate this risk. No known exploits are currently reported in the wild.

For European organizations using the Hono framework in their web applications, this vulnerability poses a risk primarily of denial of service. If attackers can send oversized request bodies that bypass size limits, they may exhaust server memory or CPU resources, leading to degraded performance or outages. This can disrupt business operations, especially for services relying on Hono for critical web applications or APIs. The impact is more pronounced in environments lacking front-line protections such as reverse proxies or web application firewalls that enforce HTTP standards and reject malformed requests. Additionally, organizations with high traffic volumes or those exposed directly to the internet without intermediary filtering are at greater risk. While the vulnerability does not compromise confidentiality or integrity, the availability impact can affect customer trust, regulatory compliance (e.g., GDPR mandates on service availability), and operational continuity. Given the medium CVSS score (5.3) and the absence of required authentication or user interaction, the threat is moderate but should not be underestimated in production environments.

1. Immediate upgrade to Hono version 4.9.7 or later to ensure the `bodyLimit` middleware correctly handles conflicting HTTP headers in compliance with the HTTP specification. 2. Deploy or configure reverse proxies and web application firewalls (WAFs) to strictly enforce HTTP standards, rejecting requests with conflicting `Content-Length` and `Transfer-Encoding` headers. 3. Implement network-level rate limiting and request size restrictions to reduce the risk of resource exhaustion from large or malformed requests. 4. Monitor application logs and network traffic for anomalous patterns indicative of attempts to exploit this vulnerability, such as requests with conflicting headers or unusually large payloads. 5. Conduct security testing and code reviews to verify that other middleware or custom components do not exhibit similar header handling flaws. 6. Educate development and operations teams about the importance of adhering to HTTP specifications and promptly applying security patches. 7. For critical services, consider deploying runtime protections or resource quotas to limit the impact of potential DoS attacks even if malformed requests are processed.