CVE-2026-54288: CWE-345: Insufficient Verification of Data Authenticity in honojs hono
Hono is a JavaScript web application framework with a vulnerability in its Body Limit Middleware prior to version 4.12.25. The middleware relies on the client-supplied Content-Length header to enforce request body size limits. On AWS Lambda environments, the actual request body may be larger than the declared Content-Length, allowing an attacker to bypass size restrictions by sending a smaller Content-Length value with a larger payload. This issue is fixed in version 4.12.25.
AI Analysis
Technical Summary
CVE-2026-54288 describes an insufficient verification of data authenticity vulnerability (CWE-345) in the honojs hono framework. The Body Limit Middleware trusted the Content-Length header from the client to determine if the request body size was within allowed limits. However, on AWS Lambda platforms (including API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge), the body is fully buffered and the adapter constructs the request using the client-declared Content-Length, which may not match the actual payload size. This discrepancy allows an attacker to send a smaller Content-Length header while delivering a larger body, bypassing the middleware's size checks. The vulnerability is resolved in hono version 4.12.25.
Potential Impact
An attacker can bypass the request body size limit by sending a smaller Content-Length header than the actual payload size on AWS Lambda environments. This may lead to processing of unexpectedly large request bodies, potentially causing resource exhaustion or other application-level impacts. The CVSS score is 6.5 (medium severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity but not availability.
Mitigation Recommendations
A fix is available in hono version 4.12.25. Users should upgrade to this version or later to ensure the Body Limit Middleware correctly enforces request body size limits. Since this is a cloud-hosted service environment (AWS Lambda), the vendor manages remediation for the cloud service. Check the vendor advisory for confirmation and apply the official patch accordingly.
CVE-2026-54288: CWE-345: Insufficient Verification of Data Authenticity in honojs hono
Description
Hono is a JavaScript web application framework with a vulnerability in its Body Limit Middleware prior to version 4.12.25. The middleware relies on the client-supplied Content-Length header to enforce request body size limits. On AWS Lambda environments, the actual request body may be larger than the declared Content-Length, allowing an attacker to bypass size restrictions by sending a smaller Content-Length value with a larger payload. This issue is fixed in version 4.12.25.
CVSS v3.1
Score 6.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-54288 describes an insufficient verification of data authenticity vulnerability (CWE-345) in the honojs hono framework. The Body Limit Middleware trusted the Content-Length header from the client to determine if the request body size was within allowed limits. However, on AWS Lambda platforms (including API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge), the body is fully buffered and the adapter constructs the request using the client-declared Content-Length, which may not match the actual payload size. This discrepancy allows an attacker to send a smaller Content-Length header while delivering a larger body, bypassing the middleware's size checks. The vulnerability is resolved in hono version 4.12.25.
Potential Impact
An attacker can bypass the request body size limit by sending a smaller Content-Length header than the actual payload size on AWS Lambda environments. This may lead to processing of unexpectedly large request bodies, potentially causing resource exhaustion or other application-level impacts. The CVSS score is 6.5 (medium severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity but not availability.
Mitigation Recommendations
A fix is available in hono version 4.12.25. Users should upgrade to this version or later to ensure the Body Limit Middleware correctly enforces request body size limits. Since this is a cloud-hosted service environment (AWS Lambda), the vendor manages remediation for the cloud service. Check the vendor advisory for confirmation and apply the official patch accordingly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-12T17:46:37.293Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a398861eed863c81e5021c8
Added to database: 06/22/2026, 19:09:21 UTC
Last enriched: 06/22/2026, 19:24:42 UTC
Last updated: 06/23/2026, 01:50:11 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.