Intel

AIKIDO-2026-155253

hono is vulnerable to Access Control Bypass

Access Control BypassGHSA-xgm2-5f3f-mvvc Published Jun 24, 2026

48

Medium Risk

This Affects:

JShono
4.3.3 - 4.12.26
Fixed in 4.12.27
Are you affected? Scan for Free

TL;DR

The AWS API Gateway v1 adapter in hono/aws-lambda de-duplicates repeated request header values using a substring comparison instead of an exact match. A distinct value that is a substring of another value of the same header is dropped, for example 203.0.113.1 is omitted when 203.0.113.10 is also present. Application logic that relies on the complete ordered list of values, such as X-Forwarded-For IP restriction, rate limiting, or proxy-chain validation, can therefore make decisions on incomplete data and be bypassed. The fix compares values exactly so all distinct repeated header values are preserved.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application is deployed through Hono's AWS API Gateway v1 or VPC Lattice adapter and relies on the complete set of repeated request header values.

Background info

hono is vulnerable to Access Control Bypass in versions 4.3.3 - 4.12.26.

How to fix this

Upgrade the hono library to the patch version.