Web Application Framework Vulnerability in Hono Affecting AWS API Gateway
CVE-2026-59897

4.8MEDIUM

Key Information:

Vendor

Honojs

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59897?

The Hono web application framework, through its AWS API Gateway v1 adapter, is prone to a vulnerability where repeated request header values can be improperly de-duplicated. This occurs due to the use of substring comparison instead of exact matching, leading to incomplete data being sent to middleware or application logic. Such incomplete data can adversely affect operations reliant on the full X-Forwarded-For chain, including rate limiting, audit logging, and proxy-chain validation. The issue is addressed in version 4.12.27.

Affected Version(s)

hono >= 4.3.3, < 4.12.27

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.