Moderate severityNVD Advisory· Published Oct 15, 2024· Updated Nov 7, 2024
Hono vulnerable to bypass of CSRF Middleware by a request without Content-Type header.
CVE-2024-48913
Description
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe. This can allow an attacker to bypass CSRF protection implemented with Hono CSRF middleware. Version 4.6.5 fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | < 4.6.5 | 4.6.5 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/honopkg:apk/chainguard/hono-adapter-mqttpkg:apk/chainguard/hono-clipkg:apk/chainguard/hono-compatpkg:apk/chainguard/hono-service-authpkg:apk/chainguard/hono-service-command-routerpkg:apk/chainguard/hono-service-device-registry-jdbcpkg:npm/hono
< 0+ 7 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 4.6.5
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-2234-fmw7-43wrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-48913ghsaADVISORY
- github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.tsghsax_refsource_MISCWEB
- github.com/honojs/hono/commit/aa50e0ab77b5af8c53c50fe3b271892f8eeeea82ghsax_refsource_MISCWEB
- github.com/honojs/hono/security/advisories/GHSA-2234-fmw7-43wrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.