{"id":"CVE-2026-59897","summary":"Hono: API Gateway v1 adapter can drop a distinct repeated request header value during de-duplication","details":"Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware or application logic that depends on the complete X-Forwarded-For chain, rate limiting, audit logging, or proxy-chain validation can receive incomplete data. This issue is fixed in version 4.12.27.","aliases":["GHSA-xgm2-5f3f-mvvc"],"modified":"2026-07-15T01:49:05.941382505Z","published":"2026-07-08T16:06:11.369Z","database_specific":{"cwe_ids":["CWE-348"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59897.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/honojs/hono/releases/tag/v4.12.27"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59897.json"},{"type":"ADVISORY","url":"https://github.com/honojs/hono/security/advisories/GHSA-xgm2-5f3f-mvvc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59897"},{"type":"FIX","url":"https://github.com/honojs/hono/commit/aa921770d09bc35970362d5a2630a878f6d982fd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/honojs/hono","events":[{"introduced":"6e471ef7ddecd297eb1ecf44d1f4343e109d6f05"},{"fixed":"97c6fe1f12298c715eb7b2da65b4b6e0d81682bb"},{"fixed":"aa921770d09bc35970362d5a2630a878f6d982fd"}],"database_specific":{"cpe":"cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"4.3.3"},{"fixed":"4.12.27"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["v4.12.26","v4.12.25","v4.12.24","v4.12.23","v4.12.22","v4.12.21","v4.12.20","v4.12.19","v4.12.18","v4.12.17","v4.12.16","v4.12.15","v4.12.14","v4.12.13","v4.12.12","v4.12.11","v4.12.10","v4.12.9","v4.12.8","v4.12.7","v4.12.6","v4.12.5","v4.12.4","v4.12.3","v4.12.2","v4.12.1","v4.12.0","v4.11.10","v4.11.9","v4.11.8","v4.11.7","v4.11.6","v4.11.5","v4.11.4","v4.11.3","v4.11.2","v4.11.1","v4.11.0","v4.10.8","v4.10.7","v4.10.6","v4.10.5","v4.10.4","v4.10.3","v4.10.2","v4.10.1","v4.10.0","v4.9.12","v4.9.11","v4.9.10","v4.9.9","v4.9.8","v4.9.7","v4.9.6","v4.9.5","v4.9.4","v4.9.3","v4.9.2","v4.9.1","v4.9.0","v4.8.12","v4.8.11","v4.8.10","v4.8.9","v4.8.8","v4.8.7","v4.8.6","v4.8.5","v4.8.4","v4.8.3","v4.8.2","v4.8.1","v4.8.0","v4.7.11","v4.7.10","v4.7.9","v4.7.8","v4.7.7","v4.7.6","v4.7.5","v4.7.4","v4.7.3","v4.7.2","v4.7.1","v4.7.0","v4.6.20","v4.6.19","v4.6.18","v4.6.17","v4.6.16","v4.6.15","v4.6.14","v4.6.13","v4.6.12","v4.6.11","v4.6.10","v4.6.9","v4.6.8","v4.6.7","v4.6.6","v4.6.5","v4.6.4","v4.6.3","v4.6.2","v4.6.1","v4.6.0","v4.5.11","v4.5.10","v4.5.9","v4.5.8","v4.5.7","v4.5.6","v4.5.5","v4.5.4","v4.5.3","v4.5.2","v4.5.1","v4.5.0","v4.4.13","v4.4.12","v4.4.11","v4.4.10","v4.5.0-rc.2","v4.4.9","v4.4.8","v4.4.7","v4.4.6","v4.5.0-rc.1","v4.4.5","v4.4.4","v4.4.3","v4.4.2","v4.4.1","v4.4.0","v4.3.11","v4.3.10","v4.3.9","v4.3.8","v4.3.7","v4.3.6","v4.3.5","v4.3.4","v4.3.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59897.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}