CVE-2026-54289
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
描述
### Summary On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with `Headers.set` instead of `Headers.append`, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as `X-Forwarded-For`, `Forwarded`, and `Via` are silently truncated to a single value. ### Details A repeated request header carries an ordered list of values. The adapter iterates the list but overwrites on each step, keeping only the final value. Middleware that depends on the full list — for example IP restriction that walks the `X-Forwarded-For` chain, or auditing based on `Forwarded`/`Via` hops — receives incomplete data. The API Gateway adapter already appends repeated values and is not affected. This issue arises only on Lambda@Edge deployments, for requests that contain the same header more than once. ### Impact Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the `X-Forwarded-For` chain, this can weaken or alter that decision; for auditing, hop history is lost. This affects applications deployed on AWS Lambda@Edge that rely on multi-value request headers.
如何修補 CVE-2026-54289
要修補 CVE-2026-54289,請將受影響套件升級到下列已修補版本。
- —升級至 4.12.25 或更新版本
CVE-2026-54289 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-54289 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 4.12.25
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |