CVE-2024-43787

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.5.8

Description The Hono CSRF middleware can be bypassed using a crafted Content-Type header. This is due to the fact that MIME types are case insensitive, but the isRequestedByFormElementRe function only matches lower-case MIME types. As a result, an attacker can bypass the CSRF middleware using an upper-case form-like MIME type, such as "Application/x-www-form-urlencoded".

Recommendations For versions prior to 4.5.8, update to version 4.5.8 to fix the vulnerability. As a temporary workaround, consider modifying the isRequestedByFormElementRe function to match MIME types in a case-insensitive manner. Restrict access to the CSRF middleware to minimize the risk of exploitation. Avoid using upper-case form-like MIME types in the Content-Type header until the issue is resolved.