Web Application Framework Vulnerability in Hono by Honojs
CVE-2026-54289

4.8MEDIUM

Key Information:

Vendor: Honojs
Status: Hono
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-54289?

The Hono web application framework for JavaScript runtimes suffered from an issue where repeated request headers delivered by CloudFront on AWS Lambda@Edge were not properly handled. Instead of appending multiple values appropriately, the adapter inadvertently overwrote each value due to incorrect use of Headers.set in place of Headers.append. As a result, critical headers like X-Forwarded-For, Forwarded, and Via were truncated to a single value, which impairs the ability of request middleware to access the complete header chain. This mismanagement can undermine access control mechanisms relying on the full X-Forwarded-For history and may adversely affect auditing processes. Users are encouraged to update to version 4.12.25 or later to mitigate this issue.

Affected Version(s)

hono < 4.12.25

References

https://github.com/honojs/hono/security/advisories/GHSA-w...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54289 Data

JSON