CVE-2025-59139

EPSS 0.05%
Veröffentlicht 12.09.2025 13:03:05
Zuletzt bearbeitet 17.09.2025 20:35:36
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. The middleware previously prioritized the `Content-Length` header even when a `Transfer-Encoding: chunked` header was also included. According to the HTTP specification, `Content-Length` must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit. Most standards-compliant runtimes and reverse proxies may reject such malformed requests with `400 Bad Request`, so the practical impact depends on the runtime and deployment environment. If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests. The implementation has been updated to align with the HTTP specification, ensuring that `Transfer-Encoding` takes precedence over `Content-Length`. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hono ≫ Hono SwPlatformnode.js Version < 4.9.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.168

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/honojs/hono/security/advisories/GHSA-92vj-g62v-jqhh

Vendor Advisory

https://github.com/honojs/hono/commit/605c70560b52f13af10379f79b76717042fafe8d

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-59139

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-59139

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-59139

EUVD