CVE-2025-59139
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-12

Last updated on: 2025-09-17

Assigner: GitHub, Inc.

Description
Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. The middleware previously prioritized the `Content-Length` header even when a `Transfer-Encoding: chunked` header was also included. According to the HTTP specification, `Content-Length` must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit. Most standards-compliant runtimes and reverse proxies may reject such malformed requests with `400 Bad Request`, so the practical impact depends on the runtime and deployment environment. If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests. The implementation has been updated to align with the HTTP specification, ensuring that `Transfer-Encoding` takes precedence over `Content-Length`. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-12
Last Modified
2025-09-17
Generated
2026-06-16
AI Q&A
2025-09-12
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59139
EUVD
EUVD-2025-29042
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hono hono to 4.9.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Hono web application framework versions prior to 4.9.7. The flaw is in the 'bodyLimit' middleware, which is supposed to limit the size of HTTP request bodies. However, when conflicting HTTP headers are presentβ€”specifically both 'Content-Length' and 'Transfer-Encoding: chunked'β€”the middleware incorrectly prioritizes 'Content-Length' instead of ignoring it as required by the HTTP specification. This allows attackers to bypass the configured request body size limit by sending oversized request bodies, potentially causing the application to process much larger requests than intended.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) risk. Attackers can send oversized request bodies that bypass the size limit, leading to excessive memory or CPU consumption on the server. This can degrade performance or cause the application to crash. The practical impact depends on the runtime and deployment environment, as many standards-compliant runtimes and reverse proxies may reject such malformed requests with a '400 Bad Request' response, mitigating the risk.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Hono to version 4.9.7 or later, where the issue with the bodyLimit middleware has been fixed to properly prioritize the Transfer-Encoding header over Content-Length as per the HTTP specification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59139. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart