Listen to this Post
The CVE-2024-0204 vulnerability exists within the `bodyLimit` middleware of the Hono web framework. This middleware is designed to enforce a maximum allowable size for incoming HTTP request bodies, a critical defense against denial-of-service (DoS) attacks via resource exhaustion. The flaw occurred due to an incorrect interpretation of the HTTP/1.1 specification (RFC 7230). When an incoming request contained both a `Transfer-Encoding: chunked` header and a `Content-Length` header, the middleware logic erroneously prioritized the `Content-Length` value for its size check. The specification mandates that if `Transfer-Encoding: chunked` is present, the `Content-Length` header must be entirely ignored. An attacker could exploit this by crafting a malicious request with a small, legitimate `Content-Length` value that falls under the configured body limit, but a much larger body payload formatted using chunked encoding. The middleware would validate the request based on the fake Content-Length, allowing the oversized, chunked body to bypass the limit and be processed by the application, consuming excessive server memory and CPU resources.
Platform: Hono
Version: <4.9.7
Vulnerability: Bypass
Severity: Critical
date: 2024-01-04
Prediction: Patch: 2023-12-20
What Undercode Say:
`curl -X POST -H “Transfer-Encoding: chunked” -H “Content-Length: 1” –data-binary “@large_file.bin” http://victim.com/api`
`if (transferEncoding === ‘chunked’) { / ignore contentLength / }`
How Exploit:
Craft request with conflicting `Transfer-Encoding: chunked` and a small `Content-Length` header to bypass body size limit checks and transmit a large, chunked payload for a DoS attack.
Protection from this CVE
Upgrade to Hono v4.9.7+.
Impact:
Denial-of-Service via CPU/Memory exhaustion.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

