Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54289

CVE-2026-54289: Hono Information Disclosure Vulnerability

CVE-2026-54289 is an information disclosure flaw in Hono framework on AWS Lambda@Edge that truncates repeated headers like X-Forwarded-For. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-54289 Overview

CVE-2026-54289 is a header handling flaw in the Hono web application framework when deployed on AWS Lambda@Edge. CloudFront delivers repeated request headers as separate entries, but the Hono adapter calls Headers.set instead of Headers.append for each value. This causes every value to overwrite the prior one, leaving only the last entry visible to application code. Repeated headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value. The flaw affects access control decisions and audit trails that rely on the full proxy chain. The issue is fixed in Hono 4.12.25.

Critical Impact

Applications running on Hono with AWS Lambda@Edge that base access control on the X-Forwarded-For chain may receive an attacker-controlled or partial value, weakening trust decisions and erasing hop history used for auditing.

Affected Products

  • Hono web framework versions prior to 4.12.25
  • Hono AWS Lambda@Edge adapter
  • Applications using Hono with Amazon CloudFront as the upstream proxy

Discovery Timeline

  • 2026-06-22 - CVE-2026-54289 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-54289

Vulnerability Analysis

The vulnerability is classified under [CWE-348] Use of Less Trusted Source. Hono is a lightweight web framework that runs on multiple JavaScript runtimes, including AWS Lambda@Edge. CloudFront forwards repeated request headers as multiple distinct entries in the event object passed to the Lambda function. The Hono adapter iterates over these entries to construct a Headers instance for the request. Each entry is written using Headers.set, which replaces any existing value for that header name. The correct API for this case is Headers.append, which preserves all prior values as a comma-separated list. As a result, only the final header occurrence reaches middleware and route handlers.

Root Cause

The root cause is an incorrect Web Fetch API call inside the Lambda@Edge adapter. Headers.set overwrites existing entries, while Headers.append accumulates them. When CloudFront delivers X-Forwarded-For once per hop, the loop discards every value except the last. Middleware that parses the comma-separated proxy chain sees only one address instead of the full sequence.

Attack Vector

An attacker sends a request through CloudFront with a header value designed to appear as the final entry in a repeated header sequence. Because the adapter retains only the last value, an attacker-supplied address can replace a trusted proxy address in X-Forwarded-For. Applications that allowlist client IPs, rate-limit by source, or audit forwarding history receive misleading data. The attack requires high complexity because it depends on how upstream proxies and CloudFront order header entries, which contributes to the limited impact rating.

No verified public exploitation code is available. See the GitHub Security Advisory GHSA-wgpf-jwqj-8h8p for full technical details.

Detection Methods for CVE-2026-54289

Indicators of Compromise

  • Application logs showing a single IP address in X-Forwarded-For where multiple proxy hops are expected
  • Access control decisions allowing requests that should fail allowlist checks based on the original client IP
  • Audit records missing intermediate proxy entries in Forwarded or Via headers

Detection Strategies

  • Inventory Hono deployments running on AWS Lambda@Edge and confirm the framework version is 4.12.25 or later
  • Compare X-Forwarded-For values logged by CloudFront against values observed by the Hono application to identify truncation
  • Review middleware code that calls c.req.header('x-forwarded-for') for assumptions about the full chain being present

Monitoring Recommendations

  • Enable CloudFront access logging and correlate request headers with downstream Lambda@Edge logs
  • Alert on unexpected source IPs reaching protected routes that rely on forwarded-header allowlists
  • Track package version drift in CI pipelines to ensure the patched Hono release is deployed

How to Mitigate CVE-2026-54289

Immediate Actions Required

  • Upgrade Hono to version 4.12.25 or later in all Lambda@Edge functions
  • Audit access control logic that depends on X-Forwarded-For, Forwarded, or Via and revalidate decisions made before patching
  • Rotate any allowlist tokens or session bindings that may have been granted based on truncated header data

Patch Information

The fix is included in Hono 4.12.25. The adapter now uses Headers.append so each repeated header value is preserved. Review the GitHub Security Advisory GHSA-wgpf-jwqj-8h8p for the official patch reference.

Workarounds

  • Read repeated headers directly from the raw CloudFront event object rather than the Hono Headers instance until the upgrade is applied
  • Enforce client identity checks at the CloudFront layer using AWS WAF rules instead of relying on application-level header parsing
  • Add a custom middleware that reconstructs X-Forwarded-For from the original Lambda@Edge event before downstream handlers execute
bash
# Upgrade Hono to the patched release
npm install hono@4.12.25

# Verify the installed version
npm ls hono

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.