SCA: security update for hono (GHSA-92vj-g62v-jqhh)

medium Tenable Self-Hosted Container Security Plugin ID 435283

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to
4.9.7, a flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit
when conflicting HTTP headers were present. The middleware previously prioritized the `Content-Length`
header even when a `Transfer-Encoding: chunked` header was also included. According to the HTTP
specification, `Content-Length` must be ignored in such cases. This discrepancy could allow oversized
request bodies to bypass the configured limit. Most standards-compliant runtimes and reverse proxies may
reject such malformed requests with `400 Bad Request`, so the practical impact depends on the runtime and
deployment environment. If body size limits are used as a safeguard against large or malicious requests,
this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service
(DoS) due to excessive memory or CPU consumption when handling very large requests. The implementation has
been updated to align with the HTTP specification, ensuring that `Transfer-Encoding` takes precedence over
`Content-Length`. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately.
(CVE-2025-59139)

See Also

https://github.com/advisories/GHSA-92vj-g62v-jqhh

Plugin Details

Severity: Medium

ID: 435283

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 9/13/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2025-59139

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/12/2025

Vulnerability Publication Date: 9/12/2025

Reference Information

CVE: CVE-2025-59139