Version Details and Security Vulnerabilities

📦

@hono/node-server

1.3.4

Comparision Betweeen 1.3.4 and 1.3.3

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

119.23 KB

116.25 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

@hono/node-server

1.3.4

Comparision Betweeen 1.3.4 and 1.3.3

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

119.23 KB

116.25 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.3.4 of the package @hono/node-server.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.3.4 of the package

Summary:

@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed

Details:

Impact

The application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings.

For example, if you have a simple application:

import { serve } from '@hono/node-server'
import { Hono } from 'hono'

const app = new Hono()

app.get('/', (c) => c.text('Hello'))

serve(app)

Sending a request with a Host header with an empty value to it:

curl localhost:3000/ -H "Host: "

The results:

node:internal/url:775
    this.#updateContext(bindingUrl.parse(input, base));
                                   ^

TypeError: Invalid URL
    at new URL (node:internal/url:775:36)
    at newRequest (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:137:17)
    at Server.<anonymous> (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:399:17)
    at Server.emit (node:events:514:28)
    at Server.emit (node:domain:488:12)
    at parserOnIncoming (node:_http_server:1143:12)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {
  code: 'ERR_INVALID_URL',
  input: 'http:///'
}

Patches

The version 1.10.1 includes the fix for this issue. But, you should use 1.11.0, which has other fixes related to this issue. https://github.com/honojs/node-server/issues/160 https://github.com/honojs/node-server/issues/161

Workarounds

Nothing. Upgrade your @hono/node-server.

References

https://github.com/honojs/node-server/issues/159

Details about @hono/node-server@1.3.4

Summary:

@hono/node-server cannot handle "double dots" in URL

Details:

Impact

Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.

In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path.

const req = new Request('http://localhost/static/../foo.txt') // Web-standards
console.log(req.url) // http://localhost/foo.txt

However, the url in our Request does not resolve double dots, so http://localhost/static/.. /foo.txt is returned.

const req = new Request('http://localhost/static/../foo.txt')
console.log(req.url) // http://localhost/static/../foo.txt

It will pass unresolved paths to the web application. This causes vulnerabilities like #123 when using serveStatic.

Note: Modern web browsers and a latest curl command resolve double dots on the client side, so it does not affect you if the user uses them. However, problems may occur if accessed by a client that does not resolve them.

Patches

"v1.4.1" includes the change to fix this issue.

Workarounds

Don't use serveStatic.

Details about @hono/node-server@1.3.4

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.3.4 of the package @hono/node-server.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.3.4 of the package

Summary:

@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed

Details:

Impact

For example, if you have a simple application:

import { serve } from '@hono/node-server'
import { Hono } from 'hono'

const app = new Hono()

app.get('/', (c) => c.text('Hello'))

serve(app)

Sending a request with a Host header with an empty value to it:

curl localhost:3000/ -H "Host: "

The results:

node:internal/url:775
    this.#updateContext(bindingUrl.parse(input, base));
                                   ^

TypeError: Invalid URL
    at new URL (node:internal/url:775:36)
    at newRequest (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:137:17)
    at Server.<anonymous> (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:399:17)
    at Server.emit (node:events:514:28)
    at Server.emit (node:domain:488:12)
    at parserOnIncoming (node:_http_server:1143:12)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {
  code: 'ERR_INVALID_URL',
  input: 'http:///'
}

Patches

Workarounds

Nothing. Upgrade your @hono/node-server.

References

https://github.com/honojs/node-server/issues/159

Details about @hono/node-server@1.3.4

Summary:

@hono/node-server cannot handle "double dots" in URL

Details:

Impact

Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.

In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path.

const req = new Request('http://localhost/static/../foo.txt') // Web-standards
console.log(req.url) // http://localhost/foo.txt

However, the url in our Request does not resolve double dots, so http://localhost/static/.. /foo.txt is returned.

const req = new Request('http://localhost/static/../foo.txt')
console.log(req.url) // http://localhost/static/../foo.txt

It will pass unresolved paths to the web application. This causes vulnerabilities like #123 when using serveStatic.

Patches

"v1.4.1" includes the change to fix this issue.

Workarounds

Don't use serveStatic.

Details about @hono/node-server@1.3.4

Version Details and Security Vulnerabilities

@hono/node-server

Comparision Betweeen 1.3.4 and 1.3.3

Security Vulnerabilities

Version Details and Security Vulnerabilities

@hono/node-server

Comparision Betweeen 1.3.4 and 1.3.3

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

References

Impact

Patches

Workarounds

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

References

Impact

Patches

Workarounds

Version Details and Security Vulnerabilities

@hono/node-server

Comparision Betweeen 1.3.4 and 1.3.3

Security Vulnerabilities

Version Details and Security Vulnerabilities

@hono/node-server

Comparision Betweeen 1.3.4 and 1.3.3

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

@hono/node-server@1.3.4 GHSA-hgxw-5xg3-69jx 7.5

Impact

Patches

Workarounds

References

@hono/node-server@1.3.4 GHSA-rjq5-w47x-x359 5.3

Impact

Patches

Workarounds

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

@hono/node-server@1.3.4 GHSA-hgxw-5xg3-69jx 7.5

Impact

Patches

Workarounds

References

@hono/node-server@1.3.4 GHSA-rjq5-w47x-x359 5.3

Impact

Patches

Workarounds