← Back
2026-06-22 17:18CVE-2026-54288GitHub_M
PUBLISHED5.2CWE-345

Hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declared Content-Length, which need not match the actual payload. A client can declare a tiny Content-Length while sending a much larger body, slipping past the limit. This vulnerability is fixed in 4.12.25.

Problem type

Affected products

honojs

hono

< 4.12.25 - AFFECTED

References

https://github.com/honojs/hono/security/advisories/GHSA-rv63-4mwf-qqc2

https://github.com/honojs/hono/security/advisories/GHSA-rv63-4mwf-qqc2

x_refsource_CONFIRM

GitHub Security Advisories

GHSA-rv63-4mwf-qqc2

hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

https://github.com/advisories/GHSA-rv63-4mwf-qqc2

Summary

The Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declared Content-Length, which need not match the actual payload. A client can declare a tiny Content-Length while sending a much larger body, slipping past the limit.

Details

When Content-Length is present and Transfer-Encoding is absent, the middleware compares the declared value against the limit and passes the request through if it is small enough. On standards-based runtimes the transport enforces that Content-Length matches the body, so this is safe. The Lambda adapters instead reconstruct the request from a buffered payload and copy the client's Content-Length verbatim, so the declared length and the real body size are decoupled.

This issue affects applications deployed on AWS Lambda that rely on the Body Limit Middleware to cap request body size.

Impact

The declared body-size limit can be bypassed: a handler reads a payload larger than the configured maximum. Processing the oversized payload (large JSON, multipart, etc.) consumes additional CPU and memory per request. The payload remains bounded by the platform's request size limits, and Lambda isolates invocations, so the impact is increased per-request resource usage rather than full denial of service. This affects applications deployed on AWS Lambda that use the Body Limit Middleware.

github.com

https://github.com/honojs/hono/security/advisories/GHSA-rv63-4mwf-qqc2

github.com

https://github.com/advisories/GHSA-rv63-4mwf-qqc2

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-54288
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-54288",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-06-22T17:18:24.532Z",
    "dateReserved": "2026-06-12T17:46:37.293Z",
    "datePublished": "2026-06-22T17:18:24.532Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-06-22T17:18:24.532Z"
      },
      "title": "Hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`",
      "descriptions": [
        {
          "lang": "en",
          "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declared Content-Length, which need not match the actual payload. A client can declare a tiny Content-Length while sending a much larger body, slipping past the limit. This vulnerability is fixed in 4.12.25."
        }
      ],
      "affected": [
        {
          "vendor": "honojs",
          "product": "hono",
          "versions": [
            {
              "version": "< 4.12.25",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "cweId": "CWE-345",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/honojs/hono/security/advisories/GHSA-rv63-4mwf-qqc2",
          "name": "https://github.com/honojs/hono/security/advisories/GHSA-rv63-4mwf-qqc2",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM"
          }
        }
      ]
    }
  }
}