Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.
Published: 2026-06-22
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to read static files located outside the intended serving directory on Windows hosts. An encoded backslash in the request path is decoded to a literal backslash, which Windows treats as a path separator. The serve‑static module then resolves the path to the nested file and serves it, bypassing any prefix‑mounted middleware that might normally protect the file. This results in disclosure of potentially sensitive data, such as configuration files or other protected content.

Affected Systems

Hono framework prior to version 4.12.25, used on Windows environments. Any deployment of Hono before that release that serves static content via serve‑static is potentially affected. Versions 4.12.25 and later are not affected.

Risk and Exploitability

The vulnerability has a CVSS score of 5.9 and is not listed in the CISA KEV catalog. The EPSS score is not available, indicating no publicly known exploitation yet. Attack requires sending a crafted HTTP request with an encoded backslash, which a remote attacker can do via the public internet if the Hono application is exposed. The solution is straightforward: upgrade to 4.12.25 or later. Until then, an attacker can read unprotected files through the static file serving endpoint.

Generated by OpenCVE AI on June 22, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hono to version 4.12.25 or later to apply the fixed handling of encoded backslashes.
  • Validate and normalize request paths on the server side, rejecting or removing encoded backslashes before passing them to serve‑static.
  • Restrict static file serving to a dedicated directory with appropriate permissions and ensure that prefix‑mounted middleware is correctly configured to block unauthorized paths.
  • If sensitive static assets must remain accessible, consider moving them behind authentication or protecting them with an additional reverse proxy layer.

Generated by OpenCVE AI on June 22, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wwfh-h76j-fc44 hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.
Title Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:14:40.133Z

Reserved: 2026-06-12T17:46:37.292Z

Link: CVE-2026-54286

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:45:04Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')