hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Vulnerability

The Hono Lambda@Edge adapter uses Headers.set instead of Headers.append when processing request headers, causing repeated headers (e.g., X-Forwarded-For, Forwarded, Via) to be overwritten with each iteration, leaving only the final value. This issue occurs only on Lambda@Edge deployments where CloudFront delivers multiple values as separate entries. The API Gateway adapter is not affected [1][2].

Exploitation

An attacker can send an HTTP request containing the same header multiple times with different values. The adapter processes each value in order but overwrites previous values, so the application receives only the last value. No authentication or special privileges are required; the attacker only needs the ability to send HTTP requests to the Lambda@Edge function [1][2].

Impact

The application middleware sees an incomplete header chain. For IP‑restriction logic that relies on the full X-Forwarded-For list, this can weaken or alter the access decision. Auditing systems that track Forwarded or Via hops lose intermediate hop information. The integrity of request metadata is compromised, potentially leading to security bypasses or incomplete logs [1][2].

Mitigation

A fix for the Hono Lambda@Edge adapter is expected in a future release. Users should upgrade to the latest version once available. No workaround is provided in the available references [1][2].