## Hono Patches BodyLimit Bypass Affecting Chunked Request Handling in v4.12.18
The Hono web framework has released version 4.12.18 to address a security vulnerability (CVE-2026-44456) where the bodyLimit() function failed to reliably enforce the maxSize parameter for requests lacking a usable Content-Length header. The flaw affected versions 4.12.14 through 4.12.17, specifically when handling Transfer-Encoding: chunked or other unknown-length requests.

The vulnerability allowed oversized payloads to bypass intended size restrictions. When an HTTP request arrives without a Content-Length header—common with chunked transfer encoding—Hono's bodyLimit() could fail to properly enforce configured size limits. This created a potential vector for resource exhaustion or denial-of-service conditions targeting applications that depend on bodyLimit() as a protective mechanism against malformed or malicious uploads.

Developers using Hono's routing and request body parsing features should verify their current version and update to 4.12.18 immediately. Applications that expose file upload endpoints, parse JSON or form bodies, or rely on bodyLimit() as a defensive control are most directly affected. The vulnerability carries a GHSA identifier (GHSA-9vqf-7f2p-gf9v), indicating coordinated disclosure through GitHub's Security Advisories program. Downstream projects depending on Hono should also assess their exposure and apply the patch accordingly.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: web-framework, security-patch, body-limit-bypass, chunked-encoding, cve-2026-44456
- **Credibility**: unverified
- **Published**: 2026-05-09 06:01:39
- **ID**: 81001
- **URL**: https://whisperx.ai/en/intel/81001