@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
- Severity:
- High
Description
The application hangs when receiving a Host header with a value that @hono/node-server can’t handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings.
Recommendation
Update the @hono/node-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.0, < 1.10.1
- Patched version(s): 1.10.1
References
Related Issues
- @hono/node-server cannot handle "double dots" in URL - CVE-2024-23340
- @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - CVE-2026-29087
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery - CVE-2026-30925
- Tags:
- npm
- @hono/node-server
Anything's wrong? Let us know Last updated on April 19, 2024