Description
@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.
Published: 2026-03-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to protected static files
Action: Immediate Patch
AI Analysis

Impact

@hono/node-server allows static file serving to be bypassed when a request URL contains encoded slashes (%2F). The routing and middleware matchers decode URLs inconsistently with the static file resolver, letting requests that should trigger protected middleware skip it and reach the file handler. This results in an authorization bypass, exposing any file placed under a protected path. The weakness is categorized as CWE-863, short‑circuit state control.

Affected Systems

The vulnerability affects the Honojs node-server package. All releases prior to 1.19.10 may serve protected static resources without authentication. The fix is available in version 1.19.10.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact, but the EPSS score is less than 1% and the vulnerability is not listed in the KEV catalog, suggesting that exploitation is unlikely in the wild. Nevertheless, an attacker who can send HTTP requests to the target can construct a path such as "/admin%2Fsecret.txt" to retrieve static content intended to be protected. No additional privileges or elevated access are required, making the attack straightforward for anyone with network connectivity to the server.

Generated by OpenCVE AI on April 16, 2026 at 11:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @hono/node-server to version 1.19.10 or later to apply the patched URL decoding logic.
  • Audit the static file routes to ensure that no sensitive content is unintentionally exposed after the upgrade.
  • If an upgrade is not immediately possible, add a pre‑static middleware that rejects paths containing encoded slashes or enforce explicit path validation for protected directories.

Generated by OpenCVE AI on April 16, 2026 at 11:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wc8c-qw6v-h7f6 @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
History

Tue, 14 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono node-server
Vendors & Products Hono
Hono node-server

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.
Title @hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Hono Node-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T18:02:36.517Z

Reserved: 2026-03-03T20:51:43.484Z

Link: CVE-2026-29087

cve-icon Vulnrichment

Updated: 2026-03-06T18:02:31.957Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T18:16:19.757

Modified: 2026-04-14T17:36:58.930

Link: CVE-2026-29087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses