Login Sign Up

CVE-2024-32652

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in @hono/node-server versions before 1.10.1 causes application hangs when receiving malformed Host headers. Attackers can send specially crafted Host headers to cause denial of service. Anyone running Hono applications on Node.js with vulnerable versions is affected.

💻 Affected Systems

Products:
  • @hono/node-server
Versions: All versions before 1.10.1
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: All Hono applications using @hono/node-server adapter are vulnerable by default

📦 What is this software?

Node Server by Hono

View all CVEs affecting Node Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability leading to sustained denial of service for all users

🟠

Likely Case

Application hangs requiring manual restart, causing temporary service disruption

🟢

If Mitigated

Minimal impact with proper input validation and monitoring

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests without authentication
🏢 Internal Only: MEDIUM - Internal attackers could still exploit but requires network access

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request with malformed Host header triggers the issue

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.1

Vendor Advisory: https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx

Restart Required: Yes

Instructions:

1. Update package.json to specify @hono/node-server version 1.10.1 or higher. 2. Run npm update @hono/node-server. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input Validation Middleware

all

Add custom middleware to validate Host header before processing

// Add this middleware to your Hono app
app.use('*', async (c, next) => {
  const host = c.req.header('Host');
  if (!host || host.includes('/') || host.trim() === '') {
    return c.text('Invalid Host header', 400);
  }
  await next();
});

Reverse Proxy Filtering

linux

Configure reverse proxy (nginx, Apache) to filter invalid Host headers

# nginx configuration
if ($http_host ~* "^/|^$") {
    return 400;
}

🧯 If You Can't Patch

  • Implement WAF rules to block requests with malformed Host headers
  • Deploy rate limiting to prevent mass exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list @hono/node-server to see if version is below 1.10.1

Check Version:

npm list @hono/node-server

Verify Fix Applied:

After updating, test with curl: curl -H "Host: /" http://your-app/ should return 400 error instead of hanging

📡 Detection & Monitoring

Log Indicators:

  • Application hanging without error logs
  • Increased request timeouts
  • Process restarts without clear cause

Network Indicators:

  • HTTP requests with malformed Host headers
  • Unusual patterns of requests to same endpoint

SIEM Query:

http.headers.host IN ("/", "", "//") AND http.status_code = null OR http.response_time > 30s

📊 Metadata

CVE ID: CVE-2024-32652
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-755
Published: April 19, 2024
Last Updated: September 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32652, you might also want to check these:

CVE-2022-48328 9.8

This vulnerability in MISP (Malware Information Sharing Platform) allows SQL injection through misha...

Same vulnerability type (CWE-755)
CVE-2021-43272 9.8

This vulnerability allows remote code execution through malicious DWF files in Open Design Alliance ...

Same vulnerability type (CWE-755)
CVE-2022-23121 9.8

CVE-2022-23121 is a critical remote code execution vulnerability in Netatalk's AppleDouble parsing f...

Same vulnerability type (CWE-755)