Hono: Five CVEs Disclosed Together — AWS Lambda Adapter Flaws, CORS Misconfig, and Path Traversal
Five vulnerabilities in the Hono web framework were disclosed June 16, targeting AWS Lambda adapters, CORS middleware, and Windows path handling — three of them cloud-specific logic bugs.
Key findings
- Three of the five CVEs affect AWS Lambda adapters — body-limit bypass, header dropping, and cookie merging
- CVE-2026-54290 is a high-severity CORS misconfiguration that exposes cookie-authenticated endpoints to any origin
- CVE-2026-54286 allows path traversal on Windows via encoded backslash (%5C) in serve-static
- All five CVEs were disclosed together on June 16, 2026 and fixed in a coordinated release
- Body Limit Middleware (CVE-2026-54288) trusts client-supplied Content-Length, enabling bypass on Lambda
On June 16, 2026, the Hono team disclosed five security vulnerabilities spanning the web framework's AWS Lambda adapters, CORS middleware, static-file serving, and body-limit enforcement. The batch, published within a 24-minute window, touches on cloud-specific request-handling logic that can lead to bypasses, data exposure, and cookie loss — issues that directly affect applications deployed on AWS Lambda, Lambda@Edge, ALB, and VPC Lattice.
AWS Lambda adapter flaws dominate the batch. CVE-2026-54288 concerns the Body Limit Middleware, which trusts the client-supplied Content-Length header to decide whether a request body is within the configured limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge), the body is delivered fully buffered and the adapter builds the request using the client-declared Content-Length. An attacker can understate the header, bypass the middleware's size check, and send a payload that exceeds the intended limit. CVE-2026-54289 affects the Lambda@Edge adapter specifically: CloudFront delivers repeated request headers as separate entries, but the adapter uses Headers.set instead of Headers.append, so each value overwrites the previous one and only the last value reaches the application. This can cause security-critical headers (e.g., authorization or forwarding headers) to be silently dropped. CVE-2026-54287 targets the ALB single-header response and VPC Lattice v2 response paths: multiple Set-Cookie headers are joined into a single comma-separated value. Because commas also appear inside cookie attributes (such as Expires dates), clients cannot split the value back into individual cookies and silently drop them, breaking session management.
CORS middleware misconfiguration is the subject of CVE-2026-54290. When credentials: true is set and no explicit origin is provided (the default wildcard), the CORS Middleware reflects the request's Origin header and sends Access-Control-Allow-Credentials: true. Any arbitrary website can then make credentialed cross-origin requests to the Hono application and read the responses, exposing cookie-authenticated endpoints to cross-origin data theft. This is a classic CORS misconfiguration with high severity.
Path traversal on Windows is covered by CVE-2026-54286. An encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. The serve-static middleware then resolves a single URL segment such as admin%5Csecret.txt into a nested file under the root and serves it, allowing an attacker to read static files meant to be restricted.
All five CVEs were addressed in a coordinated release by the Hono maintainers. Users should upgrade to the latest patched version of Hono immediately. For the AWS Lambda adapter issues, the fix ensures that Content-Length is validated against the actual buffered body size, that repeated headers are properly appended, and that Set-Cookie headers are preserved as individual entries. The CORS middleware now rejects the wildcard default when credentials are enabled, and the serve-static middleware normalizes paths on Windows to block encoded backslash traversal.
This batch underscores the complexity of running web frameworks on serverless platforms where the request lifecycle differs from standard HTTP servers. Hono users — particularly those deploying on AWS Lambda, Lambda@Edge, ALB, or VPC Lattice — should review their middleware configurations and apply the patch without delay.