CVE-2026-44456 Overview
CVE-2026-44456 is a resource exhaustion vulnerability in Hono, a JavaScript web application framework that runs on any JavaScript runtime. The bodyLimit() middleware fails to reliably enforce its maxSize setting for requests that lack a usable Content-Length header. Requests using Transfer-Encoding: chunked can bypass the limit. Oversized payloads reach downstream handlers and receive a 200 OK response instead of the expected 413 Payload Too Large. The flaw is tracked as [CWE-400] Uncontrolled Resource Consumption and affects Hono releases prior to 4.12.16. The maintainers published a fix in version 4.12.16.
Critical Impact
Remote attackers can submit chunked requests that exceed configured body size limits, consuming memory and bandwidth on Hono-based services and undermining a primary denial-of-service control.
Affected Products
- Hono framework versions prior to 4.12.16
- Node.js runtime deployments using hono:hono package
- Any JavaScript runtime application relying on Hono bodyLimit() middleware for request size enforcement
Discovery Timeline
- 2026-05-13 - CVE-2026-44456 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44456
Vulnerability Analysis
Hono provides a bodyLimit() middleware that rejects requests whose body exceeds a configured maxSize. The enforcement logic relies on the Content-Length header to short-circuit oversized requests before reading the body stream. When a client omits Content-Length and uses Transfer-Encoding: chunked, the middleware does not consistently measure bytes as chunks arrive. The middleware allows the request to pass through to user-defined handlers. Handlers then process the oversized payload and respond with 200 OK, defeating the purpose of the size guard.
The issue maps to [CWE-400] Uncontrolled Resource Consumption. Confidentiality and integrity impacts are limited, but availability degradation is possible when many oversized requests are processed concurrently.
Root Cause
The root cause is incomplete streaming enforcement in bodyLimit(). The middleware trusts header-based length signaling and does not maintain a running byte count for chunked transfers. Without that running tally, the middleware cannot abort a request mid-stream when the accumulated body exceeds maxSize.
Attack Vector
The vulnerability is exploitable over the network without authentication or user interaction. An attacker sends an HTTP request with Transfer-Encoding: chunked, omits Content-Length, and streams a body larger than the configured maxSize. The Hono application accepts the body, invokes the route handler, and returns a successful response. Repeated requests can amplify resource usage on the target service. Technical specifics are documented in the Hono GitHub Security Advisory GHSA-9vqf-7f2p-gf9v.
No public proof-of-concept is referenced in the advisory metadata and the CVE is not listed in CISA KEV.
Detection Methods for CVE-2026-44456
Indicators of Compromise
- HTTP requests with Transfer-Encoding: chunked and no Content-Length header targeting Hono endpoints
- Successful 200 OK responses to requests whose aggregate body size exceeds the documented bodyLimit()maxSize
- Spikes in memory or event loop latency on Node.js Hono workers without a corresponding increase in legitimate request volume
Detection Strategies
- Inventory deployed Hono versions and flag any instance running below 4.12.16
- Inspect reverse proxy or application logs for chunked requests that produced successful responses on endpoints protected by bodyLimit()
- Add application-level instrumentation that records actual body bytes read per request and compares the value to the configured maxSize
Monitoring Recommendations
- Forward Hono and upstream proxy access logs to a centralized analytics platform and alert on chunked POST or PUT requests exceeding expected payload sizes
- Track Node.js process memory and event loop lag metrics to identify resource exhaustion patterns tied to oversized requests
- Correlate source IP behavior across endpoints to identify clients repeatedly submitting chunked oversized payloads
How to Mitigate CVE-2026-44456
Immediate Actions Required
- Upgrade the hono package to version 4.12.16 or later in all affected services
- Audit routes that depend on bodyLimit() and confirm the updated middleware is loaded before handlers
- Enforce request size limits at the reverse proxy or API gateway as a defense-in-depth control until upgrades complete
Patch Information
The vulnerability is fixed in Hono 4.12.16. The maintainers published remediation details in the Hono GitHub Security Advisory GHSA-9vqf-7f2p-gf9v. Update package manifests and rebuild deployment artifacts to ensure the patched version is shipped to production.
Workarounds
- Configure an upstream proxy such as NGINX or a managed API gateway to reject requests with bodies exceeding the application's maxSize
- Strip or normalize Transfer-Encoding: chunked requests at the edge when a known Content-Length is required by the application contract
- Add a custom middleware that streams the request body, counts bytes, and aborts the request with 413 once the configured limit is exceeded
# Configuration example
npm install hono@^4.12.16
npm ls hono
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
