CVE-2025-59139: 
JavaScript vulnerability analysis and mitigation

A security vulnerability (CVE-2025-59139) was discovered in Hono, a Web application framework that provides support for any JavaScript runtime. The vulnerability affects versions prior to 4.9.7 and was disclosed on September 12, 2025. The issue involves a flaw in the bodyLimit middleware that could allow bypassing the configured request body size limit when conflicting HTTP headers were present (GitHub Advisory).

The vulnerability stems from incorrect header prioritization in the bodyLimit middleware. The middleware previously prioritized the Content-Length header even when a Transfer-Encoding: chunked header was also included. According to HTTP specifications, Content-Length must be ignored when both headers are present. This implementation flaw allowed oversized request bodies to bypass the configured size limit. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory, NVD).

The primary impact of this vulnerability is the potential for denial of service (DoS) attacks. If body size limits are used as a safeguard against large or malicious requests, attackers could exploit this flaw to send oversized request bodies, leading to excessive memory or CPU consumption when handling very large requests. However, most standards-compliant runtimes and reverse proxies may reject such malformed requests with 400 Bad Request, making the practical impact dependent on the runtime and deployment environment (GitHub Advisory).

The vulnerability has been fixed in Hono version 4.9.7. The implementation has been updated to align with the HTTP specification, ensuring that Transfer-Encoding takes precedence over Content-Length. All users are advised to upgrade to version 4.9.7 immediately. The fix can be found in commit 605c70560b52f13af10379f79b76717042fafe8d (GitHub Commit, GitHub Advisory).