Executive Summary

The vulnerability in Hono versions 4.12.0 and 4.12.1 involves incorrect handling of the X-Forwarded-For HTTP header when using the AWS Lambda adapter behind an AWS Application Load Balancer (ALB). The getConnInfo() function mistakenly selects the first IP address from the X-Forwarded-For header as the client IP. However, AWS ALB appends the real client IP address to the end of this header, meaning the first IP can be controlled by an attacker.

Because of this, an attacker can spoof their IP address by inserting a fake IP at the start of the header, causing IP-based access control mechanisms (like the ipRestriction middleware) to be bypassed. This allows unauthorized access based on IP restrictions.

The issue was fixed in version 4.12.2 by changing the logic to extract the last IP address from the X-Forwarded-For header, which correctly identifies the real client IP appended by the ALB.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an unauthenticated remote attacker to bypass IP-based access controls by spoofing the X-Forwarded-For header. As a result, attackers can gain unauthorized access to resources or services that rely on IP restrictions for security.

Specifically, if your application uses the Hono AWS Lambda adapter behind an AWS ALB and employs IP-based restrictions (such as the ipRestriction middleware or custom authorization relying on client IP), these protections can be circumvented.

The severity of this vulnerability is high, with a CVSS v3.1 score of 8.2, indicating a significant risk of confidentiality breach and integrity impact without requiring any privileges or user interaction.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the incorrect extraction of the client IP address from the X-Forwarded-For header when using the Hono AWS Lambda adapter behind an AWS Application Load Balancer (ALB). To detect if your system is vulnerable, you can inspect the X-Forwarded-For headers in incoming requests to see if the first IP address is attacker-controlled or spoofed.'}, {'type': 'paragraph', 'content': 'You can monitor logs or capture network traffic to check the X-Forwarded-For header values and verify whether the IP used for access control matches the last IP in the header (the real client IP appended by ALB) or the first IP (which could be spoofed).'}, {'type': 'paragraph', 'content': 'Suggested commands include using tools like curl or tcpdump to inspect headers and network traffic:'}, {'type': 'list_item', 'content': 'Use curl to send requests with custom X-Forwarded-For headers and observe server behavior: curl -H "X-Forwarded-For: spoofed-ip" https://your-application'}, {'type': 'list_item', 'content': "Use tcpdump or similar packet capture tools to capture HTTP headers and analyze X-Forwarded-For values: sudo tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep X-Forwarded-For"}, {'type': 'list_item', 'content': 'Check application logs for IP addresses used in access control decisions and verify if they correspond to the last IP in the X-Forwarded-For header rather than the first.'}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the Hono framework to version 4.12.2 or later, where the vulnerability has been fixed.

The fix changes the logic in the AWS Lambda adapter to correctly extract the client IP address from the last value in the X-Forwarded-For header instead of the first, preventing IP spoofing and bypass of IP-based access controls.

If upgrading immediately is not possible, consider implementing additional validation on the X-Forwarded-For header or restricting access through other means until the patch can be applied.

Useful 0 Not Useful 0