Web Application Framework Vulnerability in Hono Affecting AWS API Gateway
CVE-2026-59897
4.8MEDIUM
What is CVE-2026-59897?
The Hono web application framework, through its AWS API Gateway v1 adapter, is prone to a vulnerability where repeated request header values can be improperly de-duplicated. This occurs due to the use of substring comparison instead of exact matching, leading to incomplete data being sent to middleware or application logic. Such incomplete data can adversely affect operations reliant on the full X-Forwarded-For chain, including rate limiting, audit logging, and proxy-chain validation. The issue is addressed in version 4.12.27.
Affected Version(s)
hono >= 4.3.3, < 4.12.27
