Hono’s Body Limit Middleware determines the allowed payload size by trusting the client‑supplied Content‑Length header. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the whole body is buffered by the platform and the request object is constructed with the declared Content‑Length, which may not correspond to the actual payload. An attacker can send a large body while declaring a small Content‑Length, allowing the request to pass the middleware’s size check and be processed by the application. This can exhaust Lambda memory or response resources, potentially resulting in a denial of service or other stability issues. The weakness is a form of unsafe validation, referenced as CWE‑345.

The issue affects the Hono web framework (honojs:hono) versions earlier than 4.12.25 when deployed on any JavaScript runtime that executes in AWS Lambda, including those accessed through API Gateway v1/v2, Application Load Balancer, VPC Lattice, or Lambda@Edge.

The CVSS score of 6.5 indicates moderate severity; the EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an attacker to send a crafted HTTP request to a Lambda function that uses Hono. Since the bug relies solely on manipulating request headers rather than exploiting code execution, an attacker can realistically perform the attack from virtually anywhere with network access to the API surface. The risk is therefore primarily the potential for overwhelming Lambda resources or causing service disruption.