PatchSiren cyber security CVE debrief
CVE-2026-54289 honojs CVE debrief
CVE-2026-54289 is a vulnerability in the Hono Web application framework that affects AWS Lambda@Edge and CloudFront. Prior to version 4.12.25, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. This can weaken or alter access control decisions based on the X-Forwarded-For chain and result in lost hop history for auditing. The vulnerability has a CVSS score of 4.8 and is classified as MEDIUM severity. It was published on June 22, 2026, and fixed in version 4.12.25.
- Vendor
- honojs
- Product
- hono
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-22
- Original CVE updated
- 2026-06-22
- Advisory published
- 2026-06-22
- Advisory updated
- 2026-06-22
Who should care
Organizations using the Hono Web application framework with AWS Lambda@Edge and CloudFront should be aware of this vulnerability. Specifically, applications that base access control on the X-Forwarded-For chain may be affected. Additionally, security teams and auditors who rely on hop history for auditing purposes should take note of this issue.
Technical summary
The Hono Web application framework, prior to version 4.12.25, has a vulnerability when used with AWS Lambda@Edge and CloudFront. The issue arises from the adapter's use of Headers.set instead of Headers.append when handling repeated request headers. This causes only the last value of a repeated header to reach the application, potentially altering access control decisions and losing hop history. Affected headers include X-Forwarded-For, Forwarded, and Via. The vulnerability is fixed in version 4.12.25.
Defensive priority
Apply the patch: Upgrade to Hono version 4.12.25 or later to fix the vulnerability. Review access control configurations: Ensure that access control decisions are not solely based on the X-Forwarded-For header chain. Implement additional logging: Consider logging all request headers for auditing purposes, not just the last value.
Recommended defensive actions
- Apply the patch: Upgrade to Hono version 4.12.25 or later.
- Review access control configurations: Ensure that access control decisions are not solely based on the X-Forwarded-For header chain.
- Implement additional logging: Consider logging all request headers for auditing purposes, not just the last value.
- Monitor for suspicious activity: Keep an eye out for unusual patterns in request headers that could indicate exploitation attempts.
- Update incident response plans: Include procedures for addressing potential access control weaknesses due to this vulnerability.
Evidence notes
The CVE-2026-54289 vulnerability was published on June 22, 2026, with a CVSS score of 4.8 and MEDIUM severity. The issue was fixed in Hono version 4.12.25. The vulnerability affects applications using AWS Lambda@Edge and CloudFront, particularly those relying on X-Forwarded-For headers for access control. The source item provides details from the NVD database.
Official resources
-
CVE-2026-54289 CVE record
CVE.org
-
CVE-2026-54289 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.