CVE-2025-59139: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59139 affects Hono, a Web application framework that provides support for any JavaScript runtime. The vulnerability was discovered in versions prior to 4.9.7, where a flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. The issue was disclosed on September 12, 2025, and primarily affects the body size limit validation mechanism (GitHub Advisory).

The vulnerability stems from incorrect header precedence handling in the bodyLimit middleware. The middleware previously prioritized the Content-Length header even when a Transfer-Encoding: chunked header was also included, contrary to HTTP specification requirements. According to RFC 7230, when both headers are present, Transfer-Encoding should take precedence and Content-Length must be ignored. This implementation flaw could allow oversized request bodies to bypass the configured limit. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

The primary impact of this vulnerability is the potential for denial of service (DoS) attacks. If body size limits are used as a safeguard against large or malicious requests, attackers could exploit this flaw to send oversized request bodies, leading to excessive memory or CPU consumption when handling very large requests. However, most standards-compliant runtimes and reverse proxies may reject such malformed requests with 400 Bad Request, so the practical impact depends on the runtime and deployment environment (GitHub Advisory).

The vulnerability has been fixed in Hono version 4.9.7. The implementation has been updated to align with the HTTP specification, ensuring that Transfer-Encoding takes precedence over Content-Length when both headers are present. All users are advised to upgrade to version 4.9.7 or later immediately (GitHub Advisory, GitHub Patch).