CVE-2026-54288: hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

June 16, 2026

The Body Limit Middleware trusts the request’s Content-Length header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declared Content-Length, which need not match the actual payload. A client can declare a tiny Content-Length while sending a much larger body, slipping past the limit.

References

github.com/advisories/GHSA-rv63-4mwf-qqc2
github.com/honojs/hono/security/advisories/GHSA-rv63-4mwf-qqc2
nvd.nist.gov/vuln/detail/CVE-2026-54288

Code Behaviors & Features

Detect and mitigate CVE-2026-54288 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →