Skip to main content

CVE-2026-39407

| EUVDEUVD-2026-20493 MEDIUM
Path Traversal (CWE-22)
2026-04-08 https://github.com/honojs/hono GHSA-wmmm-f939-6g9c
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 00:30 euvd
EUVD-2026-20493
Analysis Generated
Apr 08, 2026 - 00:30 vuln.today
Patch released
Apr 08, 2026 - 00:30 nvd
Patch available
CVE Published
Apr 08, 2026 - 00:16 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 64 npm packages depend on hono (48 direct, 16 indirect)

Ecosystem-wide dependent count for version 4.12.12.

DescriptionGitHub Advisory

Summary

A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.

When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.

Details

The routing layer and serveStatic handle repeated slashes differently.

For example:

/admin/secret.txt => matches /admin/*
/admin//secret.txt => may not match /admin/*

However, serveStatic may interpret both paths as the same file location (e.g., admin/secret.txt) and return the file.

This inconsistency allows a request such as:

GET //admin/secret.txt

to bypass middleware registered on /admin/* and access protected files.

The issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution.

Impact

An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.

This can lead to unauthorized access to sensitive files under the static root.

This issue affects applications that rely on serveStatic together with route-based middleware for access control.

AnalysisAI

Middleware bypass in Hono's serveStatic allows unauthenticated remote attackers to access protected static files by using repeated slashes in request paths, exploiting inconsistent path handling between the routing layer and static file resolution. The vulnerability affects Hono applications that rely on route-based middleware for access control, enabling unauthorized disclosure of sensitive files. Vendor-released patch available in version 4.12.12.

Technical ContextAI

Hono is a lightweight JavaScript web framework. The vulnerability stems from a path normalization inconsistency (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) where the routing engine and the serveStatic middleware interpret repeated forward slashes differently. The router may not match paths containing // patterns against wildcard routes like /admin/*, while the serveStatic handler resolves both normalized and non-normalized paths to the same file location. For example, a request to GET //admin/secret.txt bypasses the /admin/* middleware rule because the router does not match the path with leading double slashes, but serveStatic normalizes the path and serves the file. This occurs because path normalization happens at different stages of request processing, creating an authentication bypass window where protected resources become accessible.

RemediationAI

Upgrade Hono to version 4.12.12 or later, which includes a fix that rejects paths containing repeated slashes, ensuring consistent path normalization between the routing layer and serveStatic middleware. This fix prevents the middleware bypass by guaranteeing that paths with // patterns are either rejected outright or normalized before routing decisions are made. Apply the patch immediately to all applications using Hono with route-based access control on static files. See vendor advisory at https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c for detailed upgrade guidance.

Share

CVE-2026-39407 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy