@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
- Severity:
- High
Description
The application hangs when receiving a Host header with a value that @hono/node-server can’t handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings.
Recommendation
Update the @hono/node-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.0, < 1.10.1
- Patched version(s): 1.10.1
References
Related Issues
- @hono/node-server cannot handle "double dots" in URL - CVE-2024-23340
- @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - CVE-2026-29087
- Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths - CVE-2026-39320
- SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering - @sveltejs/adapter-node - CVE-2025-67647
You might also like:
- Tags:
- npm
- @hono/node-server
Anything's wrong? Let us know Last updated on April 19, 2024