CVE-2024-43787: Hono CSRF middleware can be bypassed using crafted Content-Type header
5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.03318%
CWE
Published
8/22/2024
Updated
11/18/2024
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| hono | npm | < 4.5.8 | 4.5.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the case-sensitive regex pattern in the CSRF middleware's Content-Type validation. The key evidence is: 1) The original regex (/application\/x-www-form-urlencoded/) lacked the 'i' flag 2) The fix added case-insensitivity via /i modifier 3) The PoC demonstrates exploitation using uppercase 'Application/x-www-form-urlencoded' 4) The test case added in the commit specifically checks this bypass scenario. The middleware's security logic relied on this regex to trigger CSRF validation, making the regex implementation the root vulnerable component.