CVE-2026-29045
HIGH
GHSA-q5qw-h33p-qvwr
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.
Analysis
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middleware protections due to inconsistent URL decoding between the router and file serving components. An unauthenticated remote attacker can exploit this mismatch by encoding slashes (%2F) in request paths to access protected static resources that should be restricted by middleware rules. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications using Hono framework and identify those with serveStatic and route-based middleware protections enabled. Within 7 days: Apply vendor patch to upgrade Hono to version 4.12.4 or later across all affected systems; conduct testing in non-production environments first. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today