CVE-2026-54289 - Vulnerability Details

- Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value. Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This vulnerability is fixed in 4.12.25.

Published: 2026-06-22

Score: 4.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Hono, a JavaScript web framework, incorrectly overwrites repeated CloudFront request headers on AWS Lambda@Edge by using Headers.set rather than Headers.append. When a header such as X‑Forwarded‑For, Forwarded, or Via appears multiple times, only the last value is kept; the earlier values are silently dropped. Applications that rely on the full hop chain for access‑control decisions or auditing can therefore make incorrect authorisation choices or lose traceability. The weakness is an incomplete conversion of input data (CWE‑348).

Affected Systems

The flaw affects all instances of the Hono framework deployed on AWS Lambda@Edge with a version earlier than 4.12.25. It is specific to the Lambda@Edge adapter and does not impact other hosting platforms or newer framework releases.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity effect. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting that mass exploitation is unlikely at present. The likely attack vector is a legitimate web request that carries duplicate headers; the flaw is implicitly triggered by normal operation of the application, making it easy to exploit for an attacker who can influence the contents of those headers. Because the vulnerability alters the information used for security decisions, the impact can be significant for user‑integrity and audit‑trail purposes.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

honojs

hono

affected

Version	Status	Constraints
`< 4.12.25`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Hono to version 4.12.25 or later on all Lambda@Edge deployments to receive the corrected Header.append logic.
If an upgrade cannot be performed immediately, insert a middleware layer that collects duplicate header values before passing them to the application and reconstructs the original chain.
After deployment, validate that repeated headers are preserved by monitoring request logs or by adding explicit checks for X‑Forwarded‑For chains used in access control.

Generated by OpenCVE AI on June 22, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-wgpf-jwqj-8h8p	hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/honojs/hono/security/advisories/GHSA-wgpf-jwqj-8h8p

History

Mon, 22 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 22 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value. Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This vulnerability is fixed in 4.12.25.
Title		Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
Weaknesses		CWE-348
References		https://github.com/honojs/hono/security/advisories/GHSA-wgpf-jwqj-8h8p
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-22T17:16:58.553Z

Updated: 2026-06-22T18:19:34.502Z

Reserved: 2026-06-12T17:46:37.293Z

Link: CVE-2026-54289

Vulnrichment

Updated: 2026-06-22T18:18:50.829Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T18:45:04Z

Weaknesses

CWE-348
Use of Less Trusted Source

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object