CVE-2026-59897: CWE-348: Use of Less Trusted Source in honojs hono
Hono is a JavaScript web application framework with an AWS API Gateway v1 adapter that, in versions from 4.3.3 up to but not including 4.12.27, improperly de-duplicates repeated request header values using substring comparison instead of exact matching. This causes the adapter to drop distinct repeated header values such as those in the X-Forwarded-For chain, potentially leading to incomplete data for middleware or application logic relying on these headers. The issue is fixed in version 4.12.27.
AI Analysis
Technical Summary
CVE-2026-59897 describes a vulnerability in the honojs hono framework's AWS API Gateway v1 adapter between versions 4.3.3 and before 4.12.27. The adapter de-duplicates repeated request header values using substring comparison rather than exact matching, which can cause distinct repeated header values to be dropped. This affects headers like X-Forwarded-For, which are critical for middleware or application logic that depend on the full chain of forwarded IP addresses for rate limiting, audit logging, or proxy-chain validation. The vulnerability is classified under CWE-348 (Use of Less Trusted Source). The issue is resolved in version 4.12.27.
Potential Impact
The vulnerability can cause middleware or application logic that relies on the complete X-Forwarded-For header chain to receive incomplete or inaccurate data. This may impair rate limiting, audit logging, or proxy-chain validation mechanisms, potentially reducing their effectiveness. The CVSS score is 4.8 (medium severity), indicating limited confidentiality and integrity impact with no availability impact.
Mitigation Recommendations
A fix is available in hono version 4.12.27. Since this is a cloud service, the vendor typically manages remediation server-side. Users should verify with the vendor advisory that their environment is updated to version 4.12.27 or later to ensure the issue is resolved. No additional mitigation is indicated by the vendor advisory.
CVE-2026-59897: CWE-348: Use of Less Trusted Source in honojs hono
Description
Hono is a JavaScript web application framework with an AWS API Gateway v1 adapter that, in versions from 4.3.3 up to but not including 4.12.27, improperly de-duplicates repeated request header values using substring comparison instead of exact matching. This causes the adapter to drop distinct repeated header values such as those in the X-Forwarded-For chain, potentially leading to incomplete data for middleware or application logic relying on these headers. The issue is fixed in version 4.12.27.
CVSS v3.1
Score 4.8medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-59897 describes a vulnerability in the honojs hono framework's AWS API Gateway v1 adapter between versions 4.3.3 and before 4.12.27. The adapter de-duplicates repeated request header values using substring comparison rather than exact matching, which can cause distinct repeated header values to be dropped. This affects headers like X-Forwarded-For, which are critical for middleware or application logic that depend on the full chain of forwarded IP addresses for rate limiting, audit logging, or proxy-chain validation. The vulnerability is classified under CWE-348 (Use of Less Trusted Source). The issue is resolved in version 4.12.27.
Potential Impact
The vulnerability can cause middleware or application logic that relies on the complete X-Forwarded-For header chain to receive incomplete or inaccurate data. This may impair rate limiting, audit logging, or proxy-chain validation mechanisms, potentially reducing their effectiveness. The CVSS score is 4.8 (medium severity), indicating limited confidentiality and integrity impact with no availability impact.
Mitigation Recommendations
A fix is available in hono version 4.12.27. Since this is a cloud service, the vendor typically manages remediation server-side. Users should verify with the vendor advisory that their environment is updated to version 4.12.27 or later to ensure the issue is resolved. No additional mitigation is indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-07-07T16:40:07.984Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a4e7ad4c9d9e3dbe36a7d7c
Added to database: 07/08/2026, 16:29:08 UTC
Last enriched: 07/08/2026, 16:43:58 UTC
Last updated: 07/08/2026, 18:15:14 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.