js · honoHeads-up

Hono Body Limit Middleware trusts Content-Length header, enabling bypass on AWS Lambda

The Body Limit Middleware trusts the client-declared Content-Length header without verifying actual body size, allowing bypass on AWS Lambda where the adapter c

17 Jun 2026Read 1 minSeverity: schedule it

What changed

The Body Limit Middleware trusts the client-declared Content-Length header without verifying actual body size, allowing bypass on AWS Lambda where the adapter copies the header verbatim from a buffered payload.

Who it affects

Applications deployed on AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, Lambda@Edge) that use the Body Limit Middleware to cap request body size.

What to do today

Review and update your Hono Body Limit Middleware usage on AWS Lambda to add additional body size validation or switch to a different mechanism that checks actual payload size.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · hono

Hono Body Limit Middleware trusts Content-Length header, enabling bypass on AWS Lambda

What changed

Who it affects

What to do today

More on hono

Hono: Encoded backslash path traversal on Windows

Hono AWS Lambda@Edge Adapter: Repeated Headers Truncated to Single Value