CVE-2026-44456

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.16

Description The bodyLimit() function does not reliably enforce the maxSize parameter for requests that lack a usable Content-Length, such as those using Transfer-Encoding: chunked. For these requests, the function wraps the body in a stream that counts bytes asynchronously and executes the handler before the size decision is finalized. This allows oversized requests to bypass the limit and return a 200 status code instead of a 413 status code if the handler does not read the body, reads only initial chunks, or suppresses read errors using try/catch blocks.

Recommendations Update to version 4.12.16.