Hono, HTTP Request Smuggling, CVE-2024-0204 (Critical)

Listen to this Post

The CVE-2024-0204 vulnerability exists within the `bodyLimit` middleware of the Hono web framework. This middleware is designed to enforce a maximum allowable size for incoming HTTP request bodies, a critical defense against denial-of-service (DoS) attacks via resource exhaustion. The flaw occurred due to an incorrect interpretation of the HTTP/1.1 specification (RFC 7230). When an incoming request contained both a `Transfer-Encoding: chunked` header and a `Content-Length` header, the middleware logic erroneously prioritized the `Content-Length` value for its size check. The specification mandates that if `Transfer-Encoding: chunked` is present, the `Content-Length` header must be entirely ignored. An attacker could exploit this by crafting a malicious request with a small, legitimate `Content-Length` value that falls under the configured body limit, but a much larger body payload formatted using chunked encoding. The middleware would validate the request based on the fake Content-Length, allowing the oversized, chunked body to bypass the limit and be processed by the application, consuming excessive server memory and CPU resources.
Platform: Hono
Version: <4.9.7
Vulnerability: Bypass
Severity: Critical

date: 2024-01-04

Prediction: Patch: 2023-12-20

What Undercode Say:

`curl -X POST -H “Transfer-Encoding: chunked” -H “Content-Length: 1” –data-binary “@large_file.bin” http://victim.com/api`
`if (transferEncoding === ‘chunked’) { / ignore contentLength / }`

How Exploit:

Craft request with conflicting `Transfer-Encoding: chunked` and a small `Content-Length` header to bypass body size limit checks and transmit a large, chunked payload for a DoS attack.

Protection from this CVE

Upgrade to Hono v4.9.7+.

Impact:

Denial-of-Service via CPU/Memory exhaustion.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top