CVE-2026-59897
Received Received - Intake

Incorrect AWS API Gateway v1 Adapter Header Handling in Hono

Vulnerability report for CVE-2026-59897, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware or application logic that depends on the complete X-Forwarded-For chain, rate limiting, audit logging, or proxy-chain validation can receive incomplete data. This issue is fixed in version 4.12.27.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
honojs hono to 4.12.27 (exc)
honojs hono 4.12.27

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Hono's AWS API Gateway v1 adapter causes it to drop distinct repeated request header values because it uses substring comparison instead of exact matching when de-duplicating headers.

For example, if the header contains values like "203.0.113.1" and "203.0.113.10", the adapter might incorrectly treat them as duplicates and omit one.

This leads to incomplete data being passed to middleware or application logic that relies on the full X-Forwarded-For header chain.

Impact Analysis

This vulnerability can impact applications that depend on complete header information for security or routing decisions.

  • IP restriction mechanisms may receive incomplete client IP chains, potentially allowing unauthorized access.
  • Rate limiting could be bypassed or improperly enforced due to missing header values.
  • Audit logging and proxy-chain validation might be inaccurate, leading to gaps in security monitoring.

An attacker could exploit this by crafting repeated header values to manipulate application behavior.

Detection Guidance

This vulnerability can be detected by inspecting the HTTP request headers, specifically the X-Forwarded-For header, to check if repeated header values are being dropped or de-duplicated incorrectly.

You can capture and analyze incoming requests to see if the full chain of repeated header values is preserved or if some values are missing due to substring-based de-duplication.

Suggested commands include using tools like curl or tcpdump to capture headers, and grep or similar text processing tools to inspect the X-Forwarded-For header values.

  • Use curl to send a request with repeated X-Forwarded-For headers and observe the response or logs: curl -H "X-Forwarded-For: 203.0.113.1" -H "X-Forwarded-For: 203.0.113.10" http://your-application
  • Use tcpdump or Wireshark to capture HTTP traffic and inspect the X-Forwarded-For headers for missing or altered values.
  • Check application or middleware logs for incomplete X-Forwarded-For chains that could indicate dropped header values.
Mitigation Strategies

The primary mitigation step is to upgrade the Hono framework to version 4.12.27 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, review and adjust any middleware or application logic that depends on the complete X-Forwarded-For header chain to handle potential missing values.

Consider implementing additional validation or logging to detect anomalies in header values that could indicate exploitation attempts.

Compliance Impact

The vulnerability causes the AWS API Gateway v1 adapter in the Hono framework to drop distinct repeated request header values due to improper de-duplication logic. This can result in incomplete X-Forwarded-For header chains, which are often used for audit logging, rate limiting, IP restriction, and proxy-chain validation.

Incomplete or inaccurate logging and validation of client IP addresses can undermine security controls and audit trails that are critical for compliance with standards like GDPR and HIPAA, which require accurate tracking and protection of user data and access.

Therefore, this vulnerability could negatively impact compliance by causing incomplete audit logs or incorrect enforcement of security policies that rely on full header information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59897. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart