CVE-2026-59897 Overview
CVE-2026-59897 affects Hono, a web application framework supporting multiple JavaScript runtimes. The flaw resides in the AWS API Gateway v1 adapter, which de-duplicates repeated HTTP header values using a substring comparison rather than an exact match. As a result, distinct values within multi-value headers such as X-Forwarded-For can be silently dropped before reaching application code. Versions from 4.3.3 up to but not including 4.12.27 are affected. The issue is fixed in Hono 4.12.27.
Critical Impact
Middleware relying on the complete header chain — including rate limiting, audit logging, and proxy-chain validation — receives incomplete data, enabling trust decisions based on tampered or partial client IP information [CWE-348].
Affected Products
- Hono framework versions 4.3.3 through 4.12.26
- Applications using the Hono AWS Lambda adapter (aws-lambda/handler.ts) with AWS API Gateway v1
- Deployments consuming event.multiValueHeaders for downstream security decisions
Discovery Timeline
- 2026-07-08 - CVE-2026-59897 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-59897
Vulnerability Analysis
The Hono AWS Lambda adapter reconstructs incoming HTTP headers from the API Gateway proxy event. When processing event.multiValueHeaders, the adapter attempts to avoid duplicating already-set entries by checking whether the existing header string includes the incoming value. This substring check produces false positives whenever a new value is a substring of a previously appended value. Distinct entries in the X-Forwarded-For chain — such as intermediate proxy IPs that are substrings of client IPs — are silently discarded. Applications receive a truncated header chain and make security decisions on incomplete data. The weakness is categorized as Use of Less Trusted Source [CWE-348].
Root Cause
The root cause is an incorrect comparison algorithm in getHeaders() within src/adapter/aws-lambda/handler.ts. Using String.prototype.includes for equality checks conflates substring matches with duplicates. Any repeated header value whose content overlaps with an existing value is dropped rather than appended.
Attack Vector
An attacker on the network can craft requests through an intermediate proxy or spoof forwarding headers so that resulting X-Forwarded-For entries contain substrings of each other. Rate limiters, IP allow-lists, and audit trails then evaluate an incomplete chain, allowing bypass of proxy-chain validation or attribution of requests to the wrong origin.
// Patch: src/adapter/aws-lambda/handler.ts
protected getHeaders(event: APIGatewayProxyEvent): Headers {
const headers = new Headers()
this.getCookies(event, headers)
- if (event.headers) {
- for (const [k, v] of Object.entries(event.headers)) {
- if (v) {
- headers.set(k, sanitizeHeaderValue(v))
- }
- }
- }
if (event.multiValueHeaders) {
for (const [k, values] of Object.entries(event.multiValueHeaders)) {
if (values) {
- // avoid duplicating already set headers
- const foundK = headers.get(k)
- values.forEach((v) => {
- const sanitizedValue = sanitizeHeaderValue(v)
- return (
- (!foundK || !foundK.includes(sanitizedValue)) && headers.append(k, sanitizedValue)
- )
- })
+ values.forEach((v) => headers.append(k, sanitizeHeaderValue(v)))
+ }
+ }
+ }
+ if (event.headers) {
+ for (const [k, v] of Object.entries(event.headers)) {
+ if (v && !headers.has(k)) {
+ headers.set(k, sanitizeHeaderValue(v))
}
Source: Hono commit aa92177. The fix removes the substring comparison and unconditionally appends every value from multiValueHeaders, then populates single-value headers only when absent.
Detection Methods for CVE-2026-59897
Indicators of Compromise
- Discrepancies between API Gateway CloudWatch access logs (which retain the full X-Forwarded-For chain) and application-level logs emitted by Hono middleware
- Rate-limit counters that fail to increment for known abusive source IPs traversing multi-hop proxies
- Audit records showing single-entry X-Forwarded-For values on requests known to traverse multiple proxies
Detection Strategies
- Inventory all Lambda functions using Hono in the vulnerable version range >=4.3.3 <4.12.27 via package.json and lockfile scanning
- Compare header values captured at the API Gateway layer against values recorded by Hono handlers to identify dropped entries
- Instrument middleware to log the raw event.multiValueHeaders['x-forwarded-for'] alongside the parsed header count
Monitoring Recommendations
- Ingest AWS API Gateway execution logs and Lambda application logs into a centralized analytics platform for cross-layer correlation
- Alert when rate-limiting or IP-allow-list decisions rely on X-Forwarded-For values containing only a single entry from requests routed through known multi-proxy paths
- Track deployments of Hono versions across serverless inventories and flag regressions to affected releases
How to Mitigate CVE-2026-59897
Immediate Actions Required
- Upgrade Hono to version 4.12.27 or later in all AWS Lambda deployments using the API Gateway v1 adapter
- Audit middleware and business logic that trusts X-Forwarded-For, Forwarded, or other repeated headers for security decisions
- Rebuild and redeploy Lambda deployment packages and layers containing the vulnerable dependency
Patch Information
The fix is available in Hono release v4.12.27. Technical details and coordinated disclosure information are published in GitHub Security Advisory GHSA-xgm2-5f3f-mvvc. The corrective change is committed in aa921770d09bc35970362d5a2630a878f6d982fd.
Workarounds
- Reconstruct the header chain directly from event.multiValueHeaders inside handler code rather than relying on the adapter-parsed Headers object
- Enforce trust decisions using API Gateway request context fields such as requestContext.identity.sourceIp instead of client-supplied forwarding headers
- Restrict incoming traffic to a single known ingress path to reduce reliance on multi-value forwarding headers until patching completes
# Upgrade Hono to the patched release
npm install hono@4.12.27
# Verify no vulnerable versions remain in the dependency tree
npm ls hono | grep -E 'hono@(4\.([3-9]|1[0-1])\.|4\.12\.[0-9]$|4\.12\.1[0-9]$|4\.12\.2[0-6]$)'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

