CVE-2024-43787: 
JavaScript vulnerability analysis and mitigation

Hono CSRF middleware contains a vulnerability (CVE-2024-43787) that allows bypass of CSRF protection through crafted Content-Type headers. The vulnerability was discovered and disclosed on August 22, 2024, affecting Hono versions prior to 4.5.8. The issue exists in the CSRF middleware implementation of Hono, a web application framework that provides support for JavaScript runtime (GitHub Advisory).

The vulnerability stems from improper handling of MIME type case sensitivity in the CSRF middleware. The middleware's isRequestedByFormElementRe regular expression only matches lowercase MIME types, while MIME types are case-insensitive by specification. The vulnerable code is located in the CSRF middleware implementation where the regular expression /^\b(application/x-www-form-urlencoded|multipart/form-data|text/plain)\b/ only matches lowercase content types. The vulnerability has been assigned a CVSS v3.1 base score of 5.0 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L (GitHub Advisory).

An attacker can bypass the CSRF protection mechanism by using uppercase form-like MIME types in the Content-Type header (e.g., 'Application/x-www-form-urlencoded'). This bypass allows potential cross-site request forgery attacks against applications relying on Hono's CSRF middleware for protection (GitHub Advisory).

The vulnerability has been fixed in Hono version 4.5.8. Users should upgrade to this version or later to receive the patch. The fix involves modifying the regular expression to be case-insensitive by adding the 'i' flag (GitHub Commit).