hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Vulnerability

The Body Limit Middleware in the Hono framework trusts the Content-Length header to decide whether a request body is within the configured limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge), the adapter reconstructs the request from a fully buffered payload and copies the client-declared Content-Length verbatim, without verifying it matches the actual body size. This allows a client to declare a small Content-Length while sending a larger body, bypassing the middleware's check. This affects applications deployed on AWS Lambda that rely on this middleware. [1][2]

Exploitation

An attacker only needs network access to the Lambda endpoint. No authentication or special privileges are required. The attacker sends an HTTP request with a Content-Length header set to a value under the middleware limit, but includes a substantially larger body (e.g., large JSON or multipart payload). The middleware passes the request because it compares only the declared length, and the handler reads the full oversized body. [1][2]

Impact

A successful bypass allows the handler to process a payload larger than the configured maximum, consuming additional CPU and memory per request. The oversized payload remains bounded by the platform's request size limits, and Lambda isolates invocations, so the impact is increased per-request resource usage rather than full denial of service. This can lead to higher operational costs and potential performance degradation for the affected application. [1][2]

Mitigation

As of the publication date, no specific fix version has been announced. Users should monitor the official advisory for updates (see references). Recommended workarounds include implementing additional size validation at the application level or using a different middleware that properly checks actual body size on Lambda. [1][2]