Bypass csrf protection implemented with hono csrf middleware.
Discussion
I'm not sure that omitting csrf checks for Simple POST request is a good idea.
CSRF prevention and CORS are different concepts even though CORS can prevent CSRF in some cases.
Release Notes
honojs/hono (hono)
### [`v4.5.8`](https://togithub.com/honojs/hono/releases/tag/v4.5.8)
[Compare Source](https://togithub.com/honojs/hono/compare/v4.5.7...v4.5.8)
##### Security Fix for CSRF Protection Middleware
Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including `Content-Types` with uppercase letters (e.g., `Application/x-www-form-urlencoded`) as potential attacks, allowing them to pass.
This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately.
For more details, see the report here: https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
4.5.7
->4.5.8
GitHub Vulnerability Alerts
CVE-2024-43787
Summary
Hono CSRF middleware can be bypassed using crafted Content-Type header.
Details
MIME types are case insensitive, but
isRequestedByFormElementRe
only matches lower-case.https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17
As a result, attacker can bypass csrf middleware using upper-case form-like MIME type, such as "Application/x-www-form-urlencoded".
PoC
Impact
Bypass csrf protection implemented with hono csrf middleware.
Discussion
I'm not sure that omitting csrf checks for Simple POST request is a good idea. CSRF prevention and CORS are different concepts even though CORS can prevent CSRF in some cases.
Release Notes
honojs/hono (hono)
### [`v4.5.8`](https://togithub.com/honojs/hono/releases/tag/v4.5.8) [Compare Source](https://togithub.com/honojs/hono/compare/v4.5.7...v4.5.8) ##### Security Fix for CSRF Protection Middleware Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including `Content-Types` with uppercase letters (e.g., `Application/x-www-form-urlencoded`) as potential attacks, allowing them to pass. This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately. For more details, see the report here: https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.