@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
- Severity:
- High
Description
The application hangs when receiving a Host header with a value that @hono/node-server can’t handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings.
Recommendation
Update the @hono/node-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.0, < 1.10.1
- Patched version(s): 1.10.1
References
Related Issues
- @hono/node-server cannot handle "double dots" in URL - CVE-2024-23340
- Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Denial of service in http-proxy-middleware - CVE-2024-21536
- Tags:
- npm
- @hono/node-server
Anything's wrong? Let us know Last updated on April 19, 2024