@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
- Severity:
- High
Description
The application hangs when receiving a Host header with a value that @hono/node-server can’t handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings.
Recommendation
Update the @hono/node-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.0, < 1.10.1
- Patched version(s): 1.10.1
References
Related Issues
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
- jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - CVE-2024-28176
- @hono/node-server cannot handle "double dots" in URL - CVE-2024-23340
- url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. - CVE-2022-0691
- Tags:
- npm
- @hono/node-server
Anything's wrong? Let us know Last updated on April 19, 2024