Impact
The application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings.
For example, if you have a simple application:
import { serve } from '@hono/node-server'
import { Hono } from 'hono'
const app = new Hono()
app.get('/', (c) => c.text('Hello'))
serve(app)Sending a request with a Host header with an empty value to it:
curl localhost:3000/ -H "Host: "
The results:
node:internal/url:775
this.#updateContext(bindingUrl.parse(input, base));
^
TypeError: Invalid URL
at new URL (node:internal/url:775:36)
at newRequest (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:137:17)
at Server.<anonymous> (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:399:17)
at Server.emit (node:events:514:28)
at Server.emit (node:domain:488:12)
at parserOnIncoming (node:_http_server:1143:12)
at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {
code: 'ERR_INVALID_URL',
input: 'http:///'
}
Patches
The version 1.10.1 includes the fix for this issue. But, you should use 1.11.0, which has other fixes related to this issue. #160 #161
Workarounds
Nothing. Upgrade your @hono/node-server.
References
#159
Impact
The application hangs when receiving a Host header with a value that
@hono/node-servercan't handle well. Invalid values are those that cannot be parsed by theURLas a hostname such as an empty string, slashes/, and other strings.For example, if you have a simple application:
Sending a request with a Host header with an empty value to it:
The results:
Patches
The version
1.10.1includes the fix for this issue. But, you should use1.11.0, which has other fixes related to this issue. #160 #161Workarounds
Nothing. Upgrade your
@hono/node-server.References
#159