CVE-2025-59139

MEDIUM EPSS 33.4%
Published Sep 12, 20259mo ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Sep 12, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago

Description

Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. The middleware previously prioritized the `Content-Length` header even when a `Transfer-Encoding: chunked` header was also included. According to the HTTP specification, `Content-Length` must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit. Most standards-compliant runtimes and reverse proxies may reject such malformed requests with `400 Bad Request`, so the practical impact depends on the runtime and deployment environment. If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests. The implementation has been updated to align with the HTTP specification, ensuring that `Transfer-Encoding` takes precedence over `Content-Length`. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability Low

Threat Intelligence

EPSS Exploit Probability
33.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-400 Uncontrolled Resource Consumption Resource Mgmt
CWE-770

Affected Products 1

VendorProductVersionRange
honohono* <4.9.7

References 2

  • github.com https://github.com/honojs/hono/commit/605c70560b52f13af10379f79b76717042fafe8d
    Patch
  • github.com https://github.com/honojs/hono/security/advisories/GHSA-92vj-g62v-jqhh
    Vendor Advisory

Remediation

  • github.com https://github.com/honojs/hono/commit/605c70560b52f13af10379f79b76717042fafe8d
    Patch