@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
- Severity:
- High
Description
The application hangs when receiving a Host header with a value that @hono/node-server can’t handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings.
Recommendation
Update the @hono/node-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.0, < 1.10.1
- Patched version(s): 1.10.1
References
Related Issues
- angular vulnerable to regular expression denial of service via the <input type="url"> element - CVE-2023-26118
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - CVE-2024-28176
- @hono/node-server cannot handle "double dots" in URL - CVE-2024-23340
- Tags:
- npm
- @hono/node-server
Anything's wrong? Let us know Last updated on April 19, 2024