CVE-2024-43787

MEDIUM EPSS 13.8%
Published Aug 22, 20241y ago · Modified Jun 17, 20262w ago
5.0 CVSS 3.1
Medium
Find Similar
Published Aug 22, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware using upper-case form-like MIME type. This vulnerability is fixed in 4.5.8.

CVSS Details

Base Score
5.0
Exploitability
1.6
Impact
3.4
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
13.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-352 Cross-Site Request Forgery (CSRF) Authentication

Affected Products 1

VendorProductVersionRange
honohono* <4.5.8

References 3

  • github.com https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17
    Product
  • github.com https://github.com/honojs/hono/commit/41ce840379516410dee60c783142e05bb5a22449
    Patch
  • github.com https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/honojs/hono/commit/41ce840379516410dee60c783142e05bb5a22449
    Patch