Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value. Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This vulnerability is fixed in 4.12.25.
Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
Problem type
Affected products
honojs
< 4.12.25 - AFFECTED
References
GitHub Security Advisories
GHSA-wgpf-jwqj-8h8p
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
https://github.com/advisories/GHSA-wgpf-jwqj-8h8pSummary
On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value.
Details
A repeated request header carries an ordered list of values. The adapter iterates the list but overwrites on each step, keeping only the final value. Middleware that depends on the full list — for example IP restriction that walks the X-Forwarded-For chain, or auditing based on Forwarded/Via hops — receives incomplete data. The API Gateway adapter already appends repeated values and is not affected.
This issue arises only on Lambda@Edge deployments, for requests that contain the same header more than once.
Impact
Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This affects applications deployed on AWS Lambda@Edge that rely on multi-value request headers.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-54289Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-54289",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T18:19:34.502Z",
"dateReserved": "2026-06-12T17:46:37.293Z",
"datePublished": "2026-06-22T17:16:58.553Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T17:16:58.553Z"
},
"title": "Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest",
"descriptions": [
{
"lang": "en",
"value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value. Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This vulnerability is fixed in 4.12.25."
}
],
"affected": [
{
"vendor": "honojs",
"product": "hono",
"versions": [
{
"version": "< 4.12.25",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-348: Use of Less Trusted Source",
"cweId": "CWE-348",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/honojs/hono/security/advisories/GHSA-wgpf-jwqj-8h8p",
"name": "https://github.com/honojs/hono/security/advisories/GHSA-wgpf-jwqj-8h8p",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM"
}
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-06-22T18:19:34.502Z"
},
"title": "CISA ADP Vulnrichment",
"references": [
{
"url": "https://github.com/honojs/hono/security/advisories/GHSA-wgpf-jwqj-8h8p",
"tags": [
"exploit"
]
}
],
"metrics": [
{}
]
}
]
}
}