CVE-2024-48913

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.6.5

Description The issue allows an attacker to bypass cross-site request forgery (CSRF) protection implemented with Hono CSRF middleware by sending a request without a Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono considers a request without a Content-Type header to be safe. This can be exploited using the fetch API, which does not add a Content-Type header for requests without a body.

Recommendations For Hono versions prior to 4.6.5, update to version 4.6.5 to fix the issue. As a temporary workaround, consider implementing additional validation for requests without a Content-Type header to prevent bypassing CSRF protection. Restrict access to sensitive endpoints that rely on Hono's CSRF middleware until the update is applied.