You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present.
Details
The middleware previously prioritized the Content-Length header even when a Transfer-Encoding: chunked header was also included. According to the HTTP specification, Content-Length must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit.
Most standards-compliant runtimes and reverse proxies may reject such malformed requests with 400 Bad Request, so the practical impact depends on the runtime and deployment environment.
Impact
If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests.
Resolution
The implementation has been updated to align with the HTTP specification, ensuring that Transfer-Encoding takes precedence over Content-Length. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately.
Fixed an issue in the bodyLimit middleware where the body size limit could be bypassed when both Content-Length and Transfer-Encoding headers were present. If you are using this middleware, please update immediately. Security Advisory
What's Changed
fix(client): Fix parseResponse not parsing json in react native by @lr0pb in #4399
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.
You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.
Comment @coderabbitai help to get the list of available commands and usage tips.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
This PR contains the following updates:
4.9.6->4.9.7GitHub Vulnerability Alerts
CVE-2025-59139
Summary
A flaw in the
bodyLimitmiddleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present.Details
The middleware previously prioritized the
Content-Lengthheader even when aTransfer-Encoding: chunkedheader was also included. According to the HTTP specification,Content-Lengthmust be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit.Most standards-compliant runtimes and reverse proxies may reject such malformed requests with
400 Bad Request, so the practical impact depends on the runtime and deployment environment.Impact
If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests.
Resolution
The implementation has been updated to align with the HTTP specification, ensuring that
Transfer-Encodingtakes precedence overContent-Length. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately.Release Notes
honojs/hono (hono)
v4.9.7Compare Source
Security
bodyLimitmiddleware where the body size limit could be bypassed when bothContent-LengthandTransfer-Encodingheaders were present. If you are using this middleware, please update immediately. Security AdvisoryWhat's Changed
parseResponsenot parsing json in react native by @lr0pb in #4399.tool-versionsfile by @3w36zj6 in #4397bun installcommands to use--frozen-lockfileby @3w36zj6 in #4398New Contributors
Full Changelog: honojs/hono@v4.9.6...v4.9.7
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.