Hono is a web application framework for JavaScript runtimes that includes a bodyLimit() helper to restrict the size of incoming request bodies. Prior to version 4.12.16, this helper does not reliably enforce the maximum size when the request lacks a usable Content-Length header, such as when using Transfer-Encoding: chunked. Consequently, an oversized payload may be fully read and passed to application handlers, producing a 200 OK response instead of the intended 413 Payload Too Large error. This flaw can lead to unchecked resource consumption, potentially exhausting memory or other server resources. The weakness is classified as CWE‑400, Unchecked Input for Resource Consumption.

The vulnerability applies to all installations of the Hono framework with a version older than 4.12.16, regardless of the underlying JavaScript runtime. The CNA product listing is honojs:hono and does not specify platform or runtime details. All released versions before 4.12.16 are affected; no later versions address the issue.

The CVSS base score of 6.5 indicates moderate severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting that documented exploitation is currently limited. An attacker only needs the ability to send an HTTP request with Transfer-Encoding: chunked or otherwise unspecified length; no authentication or privileged access is required. The attack could be launched from any network that can reach the application, making the risk readily exploitable in both internal and external contexts.