Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-59897: CWE-348: Use of Less Trusted Source in honojs hono

0
Medium
VulnerabilityCVE-2026-59897cvecve-2026-59897cwe-348
Published: 07/08/2026 (07/08/2026, 16:06:11 UTC)
Source: CVE Database V5
Vendor/Project: honojs
Product: hono

Description

Hono is a JavaScript web application framework with an AWS API Gateway v1 adapter that, in versions from 4.3.3 up to but not including 4.12.27, improperly de-duplicates repeated request header values using substring comparison instead of exact matching. This causes the adapter to drop distinct repeated header values such as those in the X-Forwarded-For chain, potentially leading to incomplete data for middleware or application logic relying on these headers. The issue is fixed in version 4.12.27.

CVSS v3.1

Score 4.8medium

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected software

Affected versions
>=4.3.3 <4.12.27

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/08/2026, 16:43:58 UTC

Technical Analysis

CVE-2026-59897 describes a vulnerability in the honojs hono framework's AWS API Gateway v1 adapter between versions 4.3.3 and before 4.12.27. The adapter de-duplicates repeated request header values using substring comparison rather than exact matching, which can cause distinct repeated header values to be dropped. This affects headers like X-Forwarded-For, which are critical for middleware or application logic that depend on the full chain of forwarded IP addresses for rate limiting, audit logging, or proxy-chain validation. The vulnerability is classified under CWE-348 (Use of Less Trusted Source). The issue is resolved in version 4.12.27.

Potential Impact

The vulnerability can cause middleware or application logic that relies on the complete X-Forwarded-For header chain to receive incomplete or inaccurate data. This may impair rate limiting, audit logging, or proxy-chain validation mechanisms, potentially reducing their effectiveness. The CVSS score is 4.8 (medium severity), indicating limited confidentiality and integrity impact with no availability impact.

Mitigation Recommendations

A fix is available in hono version 4.12.27. Since this is a cloud service, the vendor typically manages remediation server-side. Users should verify with the vendor advisory that their environment is updated to version 4.12.27 or later to ensure the issue is resolved. No additional mitigation is indicated by the vendor advisory.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-07-07T16:40:07.984Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null
Is Cloud Service
true

Threat ID: 6a4e7ad4c9d9e3dbe36a7d7c

Added to database: 07/08/2026, 16:29:08 UTC

Last enriched: 07/08/2026, 16:43:58 UTC

Last updated: 07/08/2026, 18:15:14 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses