CVE-2026-54288
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`
描述
### Summary The Body Limit Middleware trusts the request's `Content-Length` header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declared `Content-Length`, which need not match the actual payload. A client can declare a tiny `Content-Length` while sending a much larger body, slipping past the limit. ### Details When `Content-Length` is present and `Transfer-Encoding` is absent, the middleware compares the declared value against the limit and passes the request through if it is small enough. On standards-based runtimes the transport enforces that `Content-Length` matches the body, so this is safe. The Lambda adapters instead reconstruct the request from a buffered payload and copy the client's `Content-Length` verbatim, so the declared length and the real body size are decoupled. This issue affects applications deployed on AWS Lambda that rely on the Body Limit Middleware to cap request body size. ### Impact The declared body-size limit can be bypassed: a handler reads a payload larger than the configured maximum. Processing the oversized payload (large JSON, multipart, etc.) consumes additional CPU and memory per request. The payload remains bounded by the platform's request size limits, and Lambda isolates invocations, so the impact is increased per-request resource usage rather than full denial of service. This affects applications deployed on AWS Lambda that use the Body Limit Middleware.
如何修補 CVE-2026-54288
要修補 CVE-2026-54288,請將受影響套件升級到下列已修補版本。
- —升級至 4.12.25 或更新版本
CVE-2026-54288 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-54288 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 4.12.25