Edamame-X

**Name of the Vulnerable Software and Affected Versions** Elysia versions prior to 1.4.26 **Description** Elysia, a Typescript framework used for request validation, type inference, OpenAPI documentation, and client-server communication, contains a Regular Expression Denial of Service (ReDoS) issue. Specifically, the `t.String({ format: 'url' })` function is susceptible to significant slowdowns when provided with a repeated partial URL format (protocol and hostname). This occurs because the regular expression used for URL validation becomes inefficient when processing such input. **Recommendations** Update to version 1.4.26 or later.

**Name of the Vulnerable Software and Affected Versions** Hono versions prior to 4.12.4 **Description** Hono is a Web application framework supporting various JavaScript runtimes. An inconsistency in URL decoding between the router (`decodeURI`) and `serveStatic` (`decodeURIComponent`) allowed protected static resources to be accessed without authorization when using route-based middleware protections, such as `app.use('/admin/*', ...)`. Specifically, paths containing encoded slashes (`%2F`) bypassed middleware protections while still resolving to the intended filesystem path. The router treated `%2F` as a literal string, while `serveStatic` decoded it to `/` before resolving the file path. This issue does not allow access outside the static root and is not a path traversal issue. An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes. This affects applications that both protect subpaths using route-based middleware and serve files from the same static root using `serveStatic`. **Recommendations** Versions prior to 4.12.4 should be updated to version 4.12.4 or later.

**Name of the Vulnerable Software and Affected Versions** Hono versions 4.12.0 through 4.12.1 **Description** Hono is a Web application framework that provides support for any JavaScript runtime. When using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms, such as the `ipRestriction` middleware, to be bypassed. The `X-Forwarded-For` header is used to identify the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. **Recommendations** Versions prior to 4.12.2 are affected. Update to version 4.12.2 or later to resolve this issue.