The vulnerability arises from an inconsistency in path handling within the serveStatic middleware of the @hono/node-server library. Prior to version 1.19.13, URLs that contain multiple consecutive slashes are normalized by serveStatic before reaching the routing layer, but the router’s middleware matching does not account for these repeated slashes. As a result, requests for protected static assets that use double slashes can bypass route‑based authorization middleware, potentially exposing sensitive files or resources. This is a path‑handling flaw that can lead to an unauthorized disclosure of confidential data.

Users running the honojs:node-server package, specifically versions of the @hono/node-server library earlier than 1.19.13, are affected. The bug exists in the serveStatic component that serves static files for Hono applications on Node.js.

With a CVSS score of 5.3, the flaw is considered a medium‑severity issue. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by crafting HTTP requests that include repeated slashes in the path to static resources, thereby bypassing route‑based middleware guards that protect sensitive files. The exploitation requires only network access to the application and does not rely on any additional privileges or local execution.