Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Middleware Bypass
Action: Patch
AI Analysis

Impact

The flaw arises from Hono’s serveStatic component normalizing double slashes in request paths, allowing a crafted URL with repeated slashes to bypass route‑based middleware that protects protected static files. This path handling inconsistency is a CWE‑22 weakness, which can lead to unauthorized access to sensitive data.

Affected Systems

The vulnerability impacts the Hono web application framework from honojs. Versions prior to 4.12.12 are vulnerable when serveStatic is used to expose static resources behind authorization middleware such as /admin/*. The issue applies to any JavaScript runtime that runs a affected Hono release and serves protected static files.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is reported and the flaw is not listed in the CISA KEV catalog. An attacker can remotely trigger the bypass by sending an HTTP request with repeated slashes to the target server; the framework normalizes the path while the router fails to match the middleware rule, resulting in unauthorized exposure of protected content.

Generated by OpenCVE AI on April 8, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Hono 4.12.12 or later to eliminate the path normalization flaw.

Generated by OpenCVE AI on April 8, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wmmm-f939-6g9c Hono: Middleware bypass via repeated slashes in serveStatic
History

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12.
Title Hono has a middleware bypass via repeated slashes in serveStatic
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T16:04:59.862Z

Reserved: 2026-04-07T00:23:30.594Z

Link: CVE-2026-39407

cve-icon Vulnrichment

Updated: 2026-04-08T16:04:56.868Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T15:16:14.667

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:14Z

Weaknesses