CVE-2026-54289: hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

June 16, 2026

On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value.

References

github.com/advisories/GHSA-wgpf-jwqj-8h8p
github.com/honojs/hono/security/advisories/GHSA-wgpf-jwqj-8h8p
nvd.nist.gov/vuln/detail/CVE-2026-54289

Code Behaviors & Features

Detect and mitigate CVE-2026-54289 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →