GHSA-HGXW-5XG3-69JX

Vulnerability from github – Published: 2024-04-19 19:48 – Updated: 2024-04-19 21:44
VLAI?
Summary
@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
Details

Impact

The application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings.

For example, if you have a simple application:

import { serve } from '@hono/node-server'
import { Hono } from 'hono'

const app = new Hono()

app.get('/', (c) => c.text('Hello'))

serve(app)

Sending a request with a Host header with an empty value to it:

curl localhost:3000/ -H "Host: "

The results:

node:internal/url:775
    this.#updateContext(bindingUrl.parse(input, base));
                                   ^

TypeError: Invalid URL
    at new URL (node:internal/url:775:36)
    at newRequest (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:137:17)
    at Server.<anonymous> (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:399:17)
    at Server.emit (node:events:514:28)
    at Server.emit (node:domain:488:12)
    at parserOnIncoming (node:_http_server:1143:12)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {
  code: 'ERR_INVALID_URL',
  input: 'http:///'
}

Patches

The version 1.10.1 includes the fix for this issue. But, you should use 1.11.0, which has other fixes related to this issue. https://github.com/honojs/node-server/issues/160 https://github.com/honojs/node-server/issues/161

Workarounds

Nothing. Upgrade your @hono/node-server.

References

https://github.com/honojs/node-server/issues/159

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@hono/node-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-19T19:48:40Z",
    "nvd_published_at": "2024-04-19T19:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe application hangs when receiving a Host header with a value that `@hono/node-server` can\u0027t handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings.\n\nFor example, if you have a simple application:\n\n```ts\nimport { serve } from \u0027@hono/node-server\u0027\nimport { Hono } from \u0027hono\u0027\n\nconst app = new Hono()\n\napp.get(\u0027/\u0027, (c) =\u003e c.text(\u0027Hello\u0027))\n\nserve(app)\n```\n\nSending a request with a Host header with an empty value to it:\n\n```\ncurl localhost:3000/ -H \"Host: \"\n```\n\nThe results:\n\n```\nnode:internal/url:775\n    this.#updateContext(bindingUrl.parse(input, base));\n                                   ^\n\nTypeError: Invalid URL\n    at new URL (node:internal/url:775:36)\n    at newRequest (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:137:17)\n    at Server.\u003canonymous\u003e (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:399:17)\n    at Server.emit (node:events:514:28)\n    at Server.emit (node:domain:488:12)\n    at parserOnIncoming (node:_http_server:1143:12)\n    at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {\n  code: \u0027ERR_INVALID_URL\u0027,\n  input: \u0027http:///\u0027\n}\n```\n\n### Patches\n\nThe version `1.10.1` includes the fix for this issue. But, you should use `1.11.0`, which has other fixes related to this issue. https://github.com/honojs/node-server/issues/160 https://github.com/honojs/node-server/issues/161\n\n### Workarounds\n\nNothing. Upgrade your `@hono/node-server`.\n\n### References\n\nhttps://github.com/honojs/node-server/issues/159\n",
  "id": "GHSA-hgxw-5xg3-69jx",
  "modified": "2024-04-19T21:44:10Z",
  "published": "2024-04-19T19:48:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/node-server/issues/159"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/node-server/issues/161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/node-server/commit/306d98f02a8671a0a1fb91ac8fe7e281690c05af"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/honojs/node-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.