GHSA-9vqf-7f2p-gf9v
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
Details
## Summary
`bodyLimit()` does not reliably enforce `maxSize` for requests without a usable `Content-Length` (e.g. `Transfer-Encoding: chunked`). Oversized requests can reach handlers and return `200` instead of `413`.
## Details
For chunked / unknown-length requests, `bodyLimit()` wraps the body in a stream that counts bytes asynchronously, then runs the handler before the size decision is final. The `413` is only applied afterwards by checking `c.error`.
This lets the limit be bypassed when:
- the handler does not read the body, - the handler reads only the first chunk(s) and returns, or - the handler reads the body but swallows the read error in `try/catch`.
In all three cases the handler returns `200` before the limit check completes (or its result is observed).
The fix is to enforce the size decision before `next()` runs, instead of retrofitting the response via `c.error` afterwards.
## Impact
Applications relying on `bodyLimit()` as a hard boundary can be bypassed: oversized chunked requests can reach handler logic and return successful responses. Per-request data exposure is bounded by `maxSize`, but the documented guarantee — "oversized requests are rejected before business logic runs" — does not hold.
## Credits
- @lalalala5678 (slow chunked / early return variants) - @Jvr2022 (error handling bypass)
Are you affected?
Enter the version of the package you're using.