CVE-2026-54289: CWE-348: Use of Less Trusted Source in honojs hono
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value. Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This vulnerability is fixed in 4.12.25.
AI Analysis
Technical Summary
The honojs hono framework, when deployed on AWS Lambda@Edge, mishandles repeated HTTP request headers by overwriting multiple values with only the last one retained. This is due to using Headers.set instead of Headers.append in the adapter implementation. Headers such as X-Forwarded-For, Forwarded, and Via, which may appear multiple times, are truncated to a single value. Applications relying on the full chain of these headers for access control or auditing may be affected. The vulnerability is identified as CWE-348 (Use of Less Trusted Source) and has a CVSS 3.1 base score of 4.8 (medium severity). A patch is available in hono version 4.12.25.
Potential Impact
Repeated request headers are truncated to a single value, causing applications that rely on the full chain of headers like X-Forwarded-For for access control or auditing to potentially make weakened or altered decisions. This can lead to incomplete or inaccurate client identification and loss of hop history, impacting security controls that depend on these headers.
Mitigation Recommendations
A fix is available in hono version 4.12.25. Users should upgrade to version 4.12.25 or later to resolve this issue. Since this is a cloud-hosted service scenario (AWS Lambda@Edge), the vendor manages remediation for the cloud environment. Check the vendor advisory for confirmation and apply the official patch accordingly.
CVE-2026-54289: CWE-348: Use of Less Trusted Source in honojs hono
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value. Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This vulnerability is fixed in 4.12.25.
CVSS v3.1
Score 4.8medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The honojs hono framework, when deployed on AWS Lambda@Edge, mishandles repeated HTTP request headers by overwriting multiple values with only the last one retained. This is due to using Headers.set instead of Headers.append in the adapter implementation. Headers such as X-Forwarded-For, Forwarded, and Via, which may appear multiple times, are truncated to a single value. Applications relying on the full chain of these headers for access control or auditing may be affected. The vulnerability is identified as CWE-348 (Use of Less Trusted Source) and has a CVSS 3.1 base score of 4.8 (medium severity). A patch is available in hono version 4.12.25.
Potential Impact
Repeated request headers are truncated to a single value, causing applications that rely on the full chain of headers like X-Forwarded-For for access control or auditing to potentially make weakened or altered decisions. This can lead to incomplete or inaccurate client identification and loss of hop history, impacting security controls that depend on these headers.
Mitigation Recommendations
A fix is available in hono version 4.12.25. Users should upgrade to version 4.12.25 or later to resolve this issue. Since this is a cloud-hosted service scenario (AWS Lambda@Edge), the vendor manages remediation for the cloud environment. Check the vendor advisory for confirmation and apply the official patch accordingly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-12T17:46:37.293Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a39735ceed863c81e3962aa
Added to database: 06/22/2026, 17:39:40 UTC
Last enriched: 06/22/2026, 17:54:49 UTC
Last updated: 06/22/2026, 20:04:36 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.