5
CVE-2024-43787
- EPSS 0.23%
- Veröffentlicht 22.08.2024 15:15:16
- Zuletzt bearbeitet 17.09.2025 20:34:47
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Hono CSRF middleware can be bypassed using crafted Content-Type header
Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware using upper-case form-like MIME type. This vulnerability is fixed in 4.5.8.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.23% | 0.136 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5 | 1.6 | 3.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17
https://github.com/honojs/hono/commit/41ce840379516410dee60c783142e05bb5a22449
https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5