AIKIDO-2026-10704
hono is vulnerable to Improper Input Validation
65
Medium Risk
This Affects:
honoTL;DR
The body size limit middleware wrapped request bodies in a streaming counter that updated asynchronously while downstream handlers could still run first when Content-Length was missing or bodies were chunked. Handlers that returned early, read only part of the stream, or masked read errors could therefore finish with a successful status before the limit decision was applied, so oversized payloads sometimes reached application logic despite the configured maximum. The implementation now buffers and enforces the limit before invoking next() so the documented guarantee that oversized requests are rejected before business logic runs is restored.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
hono is vulnerable to Improper Input Validation in versions 0.0.1 - 4.12.15.
How to fix this
Upgrade the hono library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant