Low severityNVD Advisory· Published Aug 22, 2024· Updated Aug 22, 2024

Hono CSRF middleware can be bypassed using crafted Content-Type header

CVE-2024-43787

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware using upper-case form-like MIME type. This vulnerability is fixed in 4.5.8.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
hononpm	< 4.5.8	4.5.8

Affected products

Honojs/Honov5
Range: < 4.5.8

Patches

41ce84037951

Merge commit from fork

https://github.com/honojs/honoYusuke WadaAug 22, 2024via ghsa

commit

2 files changed · +13 −1

src/middleware/csrf/index.test.ts+12 −0 modified

@@ -194,6 +194,18 @@ describe('CSRF by Middleware', () => {
       expect(res.status).toBe(200)
       expect(await res.text()).toBe('hono')
     })
+
+    it('should be 403 for "Application/x-www-form-urlencoded" cross origin', async () => {
+      const res = await app.request('http://localhost/form', {
+        method: 'POST',
+        headers: Object.assign({
+          'content-type': 'Application/x-www-form-urlencoded',
+        }),
+        body: 'name=hono',
+      })
+      expect(res.status).toBe(403)
+      expect(simplePostHandler).not.toHaveBeenCalled()
+    })
   })
 
   describe('with origin option', () => {

src/middleware/csrf/index.ts+1 −1 modified

@@ -14,7 +14,7 @@ interface CSRFOptions {
 
 const isSafeMethodRe = /^(GET|HEAD)$/
 const isRequestedByFormElementRe =
-  /^\b(application\/x-www-form-urlencoded|multipart\/form-data|text\/plain)\b/
+  /^\b(application\/x-www-form-urlencoded|multipart\/form-data|text\/plain)\b/i
 
 /**
  * CSRF Protection Middleware for Hono.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rpfr-3m35-5vx5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-43787ghsaADVISORY
github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.tsghsax_refsource_MISCWEB
github.com/honojs/hono/commit/41ce840379516410dee60c783142e05bb5a22449ghsax_refsource_MISCWEB
github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000