CVE-2024-43787
MEDIUM EPSS 13.8%
Published Aug 22, 20241y ago · Modified Jun 17, 20262w ago
5.0 CVSS 3.1
Published Aug 22, 2024 1y ago
Last Modified Jun 17, 2026 2w ago
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware using upper-case form-like MIME type. This vulnerability is fixed in 4.5.8.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity Low
Availability Low
Threat Intelligence
EPSS Exploit Probability
13.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-352 Cross-Site Request Forgery (CSRF) Authentication
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| hono | hono | * | <4.5.8 |
References 3
- github.com https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17
- github.com https://github.com/honojs/hono/commit/41ce840379516410dee60c783142e05bb5a22449
- github.com https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5
Remediation
- github.com https://github.com/honojs/hono/commit/41ce840379516410dee60c783142e05bb5a22449