Listen to this Post
Hono is a Web application framework that provides support for any JavaScript runtime. From version 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter contains a critical flaw in its header de‑duplication logic. The adapter is responsible for transforming the incoming API Gateway event into a standard Headers object that the Hono application can consume. When the client sends a request with the same header field multiple times—each with a distinct value—the adapter attempts to collapse these repeated values into a single consolidated header entry.
However, the de‑duplication routine does not compare values for exact equality. Instead, it uses a substring comparison. If one header value is a substring of another, the shorter value is silently discarded. For example, if the `X-Forwarded-For` header contains both `203.0.113.1` and 203.0.113.10, the adapter will drop `203.0.113.1` because it is a substring of 203.0.113.10. Only the longer value survives.
This behavior is triggered in the adapter’s merged‑header handling path, where repeated values from `multiValueHeaders` or array‑valued headers are collapsed before the application ever sees them. The adapter writes each value using `Headers.set` instead of Headers.append, so every subsequent value overwrites the previous one. Only the last processed value reaches the application logic.
The impact is subtle but severe. Middleware or application logic that depends on the complete ordered chain of `X-Forwarded-For` values—for IP filtering, rate limiting, audit logging, or proxy‑chain validation—receives incomplete data. An attacker can craft the header order to deliberately drop specific values, potentially bypassing security controls that rely on the full header chain. The issue also affects the VPC Lattice adapter (LatticeV2Processor), which mirrors the same flawed logic.
The vulnerability is fixed in version 4.12.27, where the adapter now performs an exact string match during de‑duplication, preserving all distinct repeated header values. The CVSS base score is 4.8 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. Despite the moderate score, the practical consequences—especially for security controls—are often worse than the score suggests.
DailyCVE Form
Platform: Hono (aws-lambda)
Version: 4.3.3 – 4.12.26
Vulnerability: Header dedup substring bug
Severity: MEDIUM (CVSS 4.8)
Date: 2026‑07‑08
Prediction: Patch already in 4.12.27
What Undercode Say
Analytics
- EPSS Probability: 0.12% (3rd percentile)
- Exploitation in the wild: None reported (SSVC: none)
- Automatable: No
- Technical Impact: Partial
- Affected package: `hono` (npm)
- Vulnerable path: `hono/aws-lambda` → `EventV1Processor` / `LatticeV2Processor`
– CWE: 348 – Use of Less Trusted Source
Bash Commands & Code Snippets
Check your current Hono version:
npm list hono
Update to the patched version:
npm install [email protected]
Verify the fix:
npm audit | grep -i hono
Audit your Prisma project (if Hono is a transitive dependency):
bun audit | grep hono
Vulnerable code pattern in the adapter (simplified):
// Vulnerable: substring comparison
if (existingValue.includes(newValue) || newValue.includes(existingValue)) {
// drop the shorter value
}
Patched code pattern (exact match):
// Patched: exact comparison
if (existingValue === newValue) {
// deduplicate only identical values
}
Exploit
An attacker can exploit this vulnerability by sending an HTTP request with a repeated header where one value is a substring of another. For example:
X-Forwarded-For: 203.0.113.1, 203.0.113.10
The adapter will drop `203.0.113.1` because it is a substring of 203.0.113.10. If the application uses the first IP in the `X-Forwarded-For` chain for rate limiting or IP allowlisting, the attacker can effectively hide the real client IP and bypass those controls. The attack requires no privileges and no user interaction, but it does require the attacker to understand the header order and the application’s dependency on the full chain.
Protection
- Upgrade immediately to Hono version 4.12.27 or later. This is the only complete fix.
- If you cannot upgrade immediately, avoid relying on the full `X-Forwarded-For` chain or any repeated header values for security‑critical decisions in affected versions.
- Audit your codebase for middleware that reads
X-Forwarded-For,X-Real-IP, or similar headers and ensure it does not assume completeness of the header list. - Consider using a WAF or API Gateway‑level IP filtering that operates before the request reaches the Hono adapter, as a defense‑in‑depth measure.
- Run `npm audit` regularly to detect vulnerable dependencies.
Impact
- Incomplete Data: Middleware and application logic receive a truncated header list that does not match the client’s original request.
- Bypass of Security Controls: Rate limiting, IP allowlisting/blocklisting, and proxy‑chain validation can be evaded by crafting the header order to drop specific values.
- Audit Logging Corruption: Audit logs that record the full `X-Forwarded-For` chain will contain incomplete data, hindering forensic analysis.
- False Decisions: Any logic that depends on the complete ordered list of header values can make incorrect decisions, potentially leading to unauthorized access or denial of service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

