Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue.
Published: 2026-01-27
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure due to arbitrary key read in the Cloudflare Workers adapter
Action: Upgrade framework
AI Analysis

Impact

Hono, a web application framework for JavaScript runtimes, contains an information disclosure flaw in its Serve static Middleware when used with the Cloudflare Workers adapter. Malicious actors can craft request paths that are improperly validated, allowing them to read arbitrary keys from the Workers environment. This vulnerability permits disclosure of internal asset keys and potentially other sensitive data stored as environment variables, thereby compromising confidentiality of the application.

Affected Systems

The vulnerability affects all installations of the honojs:hono framework running a version older than 4.11.7, specifically when the Serve static Middleware for the Cloudflare Workers adapter is enabled. It is identified by the use of the honojs:hono product on a Node.js runtime.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, while an EPSS probability of less than 1% suggests that exploitation is currently unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to send specially crafted requests to a Cloudflare Workers instance running vulnerable Hono code, exploiting the path validation flaw to trigger unintended access to internal keys. The attack vector is inferred to be remote, via HTTP requests, based on the nature of Serve static Middleware and the description of the flaw.

Generated by OpenCVE AI on April 18, 2026 at 18:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hono to version 4.11.7 or later, which includes the security fix.
  • Temporarily disable or remove the Serve static Middleware from the Cloudflare Workers adapter until the patch is applied, or restrict it to serve only whitelisted static paths.
  • Review and minimize sensitive environment variables exposed to the Workers environment; rename or remove unnecessary keys and enforce least privilege.

Generated by OpenCVE AI on April 18, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w332-q679-j88p Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
History

Wed, 04 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono hono
Vendors & Products Hono
Hono hono

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue.
Title Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
Weaknesses CWE-200
CWE-284
CWE-668
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T20:51:59.157Z

Reserved: 2026-01-23T00:38:20.547Z

Link: CVE-2026-24473

cve-icon Vulnrichment

Updated: 2026-01-27T20:36:28.052Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T20:16:23.107

Modified: 2026-02-04T15:30:35.477

Link: CVE-2026-24473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses