Body Limit Middleware Vulnerability in Hono Web Application Framework
CVE-2026-54288

6.5MEDIUM

Key Information:

Vendor: Honojs
Status: Hono
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-54288?

The Hono Web Application Framework, prior to version 4.12.25, has a vulnerability within its Body Limit Middleware that allows an attacker to manipulate the Content-Length header of incoming requests. This can lead to scenarios where a client sends a smaller stated Content-Length while uploading a significantly larger payload, bypassing configured body size limits. This vulnerability is particularly relevant in cloud environments like AWS Lambda, where body requests can be fully buffered. This issue could expose applications to various forms of attacks stemming from unregulated request sizes. The vulnerability has been addressed in version 4.12.25.

Affected Version(s)

hono < 4.12.25

References

https://github.com/honojs/hono/security/advisories/GHSA-r...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54288 Data

JSON

Honojs

What is CVE-2026-54288?

Affected Version(s)

References

CVSS V3.1

Timeline