Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12.
Published: 2026-04-08
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Apply Patch
AI Analysis

Impact

The flaw resides in the toSSG function of the Hono web framework, where a path traversal bug permits specially crafted dynamic route parameters to escape the intended output directory during static site generation. This allows an attacker to write files anywhere on the build machine, potentially overwriting configuration files or injecting malicious content into the generated site.

Affected Systems

Any installation of Hono older than version 4.12.12 is affected, regardless of the JavaScript runtime used. The defect is present in all builds that invoke the toSSG function with user-controllable ssgParams until the patch is applied.

Risk and Exploitability

The vulnerability carries a moderate severity score of 5.9. Exploitation requires the attacker to influence the static site generation parameters, which is typically possible only during site build or deployment. No public exploits are recorded and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Successful exploitation would allow a compromise of the build environment’s file system but does not provide remote code execution beyond file write capabilities.

Generated by OpenCVE AI on April 8, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hono to version 4.12.12 or newer to eliminate the path traversal flaw.

Generated by OpenCVE AI on April 8, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xf4j-xp2r-rqqx Hono: Path traversal in toSSG() allows writing files outside the output directory
History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono hono
Vendors & Products Hono
Hono hono

Wed, 08 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12.
Title Hono has a path traversal in toSSG() allows writing files outside the output directory
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:42:25.357Z

Reserved: 2026-04-07T00:23:30.594Z

Link: CVE-2026-39408

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T15:16:14.823

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:18:48Z

Weaknesses