Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.
Published: 2026-03-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability in Hono’s serveStatic middleware is an inconsistent encoding flaw (CWE‑177) that allows attackers to read protected static files. Hono’s router uses decodeURI while serveStatic uses decodeURIComponent, so request paths containing encoded slashes (%2F) can bypass route‑based middleware protections. Exploiting this mismatch grants unauthorized read access to filesystem resources, leading to disclosure of sensitive data.

Affected Systems

Hono framework (honojs:hono) versions earlier than 4.12.4 are impacted. The issue exists in any JavaScript runtime that runs Hono and configures serveStatic in combination with route‑based middleware such as app.use('/admin/*', ...) for protecting static content.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. The likely attack vector is remote, delivered via crafted HTTP requests that target the web application’s static file endpoints. Exploitation requires prior deployment of Hono with serveStatic configured and route‑based middleware; no additional access or privileges are necessary. The risk remains moderate to high until the issue is fixed by upgrading the framework.

Generated by OpenCVE AI on April 17, 2026 at 13:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hono to version 4.12.4 or later to apply the patched URL‑decoding logic.
  • Reconfigure or remove serveStatic usage where route‑based authentication is applied, or switch to a static file handler that correctly aligns decoding behavior with the router.
  • If upgrading immediately is not feasible, replace serveStatic with an alternative that enforces strict path normalization or explicitly validates and rejects encoded slashes before file resolution.

Generated by OpenCVE AI on April 17, 2026 at 13:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q5qw-h33p-qvwr Hono vulnerable to arbitrary file access via serveStatic vulnerability
History

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono hono
Vendors & Products Hono
Hono hono

Wed, 04 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.
Title Hono: Arbitrary file access via serveStatic vulnerability
Weaknesses CWE-177
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-05T15:42:05.041Z

Reserved: 2026-03-03T17:50:11.243Z

Link: CVE-2026-29045

cve-icon Vulnrichment

Updated: 2026-03-05T15:39:30.478Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T23:16:10.247

Modified: 2026-03-06T18:06:45.650

Link: CVE-2026-29045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses