hono is vulnerable to Access Control Bypass
48
Medium Risk
The AWS API Gateway v1 adapter in hono/aws-lambda de-duplicates repeated request header values using a substring comparison instead of an exact match. A distinct value that is a substring of another value of the same header is dropped, for example 203.0.113.1 is omitted when 203.0.113.10 is also present. Application logic that relies on the complete ordered list of values, such as X-Forwarded-For IP restriction, rate limiting, or proxy-chain validation, can therefore make decisions on incomplete data and be bypassed. The fix compares values exactly so all distinct repeated header values are preserved.
You are affected if you are using a version that falls within the vulnerable range and your application is deployed through Hono's AWS API Gateway v1 or VPC Lattice adapter and relies on the complete set of repeated request header values.
hono is vulnerable to Access Control Bypass in versions 4.3.3 - 4.12.26.
Upgrade the hono library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant