5.3
CVE-2026-59897
- EPSS 0.12%
- Veröffentlicht 08.07.2026 16:06:11
- Zuletzt bearbeitet 10.07.2026 19:50:16
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Hono: API Gateway v1 adapter can drop a distinct repeated request header value during de-duplication
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware or application logic that depends on the complete X-Forwarded-For chain, rate limiting, audit logging, or proxy-chain validation can receive incomplete data. This issue is fixed in version 4.12.27.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.12% | 0.025 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| security-advisories@github.com | 4.8 | 2.2 | 2.5 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
|
CWE-348 Use of Less Trusted Source
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
https://github.com/honojs/hono/releases/tag/v4.12.27
https://github.com/honojs/hono/security/advisories/GHSA-xgm2-5f3f-mvvc
https://github.com/honojs/hono/commit/aa921770d09bc35970362d5a2630a878f6d982fd