Hono Web Framework Vulnerable to CSRF Bypass
CVE-2024-48913

5.9MEDIUM

Key Information:

Vendor

Honojs

Status
Hono
Vendor
CVE Published:
15 October 2024

What is CVE-2024-48913?

The Hono web framework is susceptible to a bypass of its cross-site request forgery (CSRF) middleware due to improper handling of requests lacking a Content-Type header. The CSRF middleware is designed to check the Content-Type of incoming requests. However, in the versions prior to 4.6.5, requests that do not include this header are incorrectly treated as safe, thus allowing potential attacks that can circumvent CSRF protections. Users of Hono are urged to upgrade to version 4.6.5 or later to mitigate this security issue.

Affected Version(s)

hono < 4.6.5

References

https://github.com/honojs/hono/security/advisories/GHSA-2...
x_refsource_CONFIRM
https://github.com/honojs/hono/commit/aa50e0ab77b5af8c53c...
x_refsource_MISC
https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e6...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.