{"id":"GHSA-9vqf-7f2p-gf9v","summary":"Hono: bodyLimit() can be bypassed for chunked / unknown-length requests","details":"## Summary\n\n`bodyLimit()` does not reliably enforce `maxSize` for requests without a usable `Content-Length` (e.g. `Transfer-Encoding: chunked`). Oversized requests can reach handlers and return `200` instead of `413`.\n\n## Details\n\nFor chunked / unknown-length requests, `bodyLimit()` wraps the body in a stream that counts bytes asynchronously, then runs the handler before the size decision is final. The `413` is only applied afterwards by checking `c.error`.\n\nThis lets the limit be bypassed when:\n\n- the handler does not read the body,\n- the handler reads only the first chunk(s) and returns, or\n- the handler reads the body but swallows the read error in `try/catch`.\n\nIn all three cases the handler returns `200` before the limit check completes (or its result is observed).\n\nThe fix is to enforce the size decision before `next()` runs, instead of retrofitting the response via `c.error` afterwards.\n\n## Impact\n\nApplications relying on `bodyLimit()` as a hard boundary can be bypassed: oversized chunked requests can reach handler logic and return successful responses. Per-request data exposure is bounded by `maxSize`, but the documented guarantee — \"oversized requests are rejected before business logic runs\" — does not hold.\n\n## Credits\n\n- @lalalala5678 (slow chunked / early return variants)\n- @Jvr2022 (error handling bypass)","aliases":["CVE-2026-44456"],"modified":"2026-05-07T22:14:17.025391398Z","published":"2026-05-06T23:50:10Z","related":["CGA-v5r8-hq9w-74fr"],"database_specific":{"github_reviewed_at":"2026-05-06T23:50:10Z","severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-400"],"nvd_published_at":null},"references":[{"type":"WEB","url":"https://github.com/honojs/hono/security/advisories/GHSA-9vqf-7f2p-gf9v"},{"type":"PACKAGE","url":"https://github.com/honojs/hono"}],"affected":[{"package":{"name":"hono","ecosystem":"npm","purl":"pkg:npm/hono"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.12.16"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-9vqf-7f2p-gf9v/GHSA-9vqf-7f2p-gf9v.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}