CVE-2024-48913

Published: Oct 15, 2024Modified: Sep 17, 2025

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

Exploitability: 1.6 / Impact: 4.2

Source: security-advisories@github.com (Secondary)

Description

Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe. This can allow an attacker to bypass CSRF protection implemented with Hono CSRF middleware. Version 4.6.5 fixes this issue.

Affected (1)

Products: Hono: Hono

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Hono Hono	Before 4.6.5

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (3)

https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89

Source: security-advisories@github.com

Product

https://github.com/honojs/hono/commit/aa50e0ab77b5af8c53c50fe3b271892f8eeeea82

Source: security-advisories@github.com

Patch

https://github.com/honojs/hono/security/advisories/GHSA-2234-fmw7-43wr

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.