CVE-2026-44456
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
Description
## Summary `bodyLimit()` does not reliably enforce `maxSize` for requests without a usable `Content-Length` (e.g. `Transfer-Encoding: chunked`). Oversized requests can reach handlers and return `200` instead of `413`. ## Details For chunked / unknown-length requests, `bodyLimit()` wraps the body in a stream that counts bytes asynchronously, then runs the handler before the size decision is final. The `413` is only applied afterwards by checking `c.error`. This lets the limit be bypassed when: - the handler does not read the body, - the handler reads only the first chunk(s) and returns, or - the handler reads the body but swallows the read error in `try/catch`. In all three cases the handler returns `200` before the limit check completes (or its result is observed). The fix is to enforce the size decision before `next()` runs, instead of retrofitting the response via `c.error` afterwards. ## Impact Applications relying on `bodyLimit()` as a hard boundary can be bypassed: oversized chunked requests can reach handler logic and return successful responses. Per-request data exposure is bounded by `maxSize`, but the documented guarantee — "oversized requests are rejected before business logic runs" — does not hold. ## Credits - @lalalala5678 (slow chunked / early return variants) - @Jvr2022 (error handling bypass)
How to fix CVE-2026-44456
To remediate CVE-2026-44456, upgrade the affected package to a fixed version below.
- —upgrade to 4.12.16 or later
Is CVE-2026-44456 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.12.16