Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 75 npm packages depend on @hono/node-server (26 direct, 49 indirect)
Ecosystem-wide dependent count for version 1.19.13.
DescriptionGitHub Advisory
Summary
A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.
When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.
Details
The routing layer and serveStatic handle repeated slashes differently.
For example:
/admin/secret.txt=> matches/admin/*//admin/secret.txt=> may not match/admin/*
This inconsistency allows a request such as:
GET //admin/secret.txtto bypass middleware registered on /admin/* and access protected files.
Impact
An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.
This can lead to unauthorized access to sensitive files under the static root.
This issue affects applications that rely on serveStatic together with route-based middleware for access control.
AnalysisAI
Path normalization inconsistency in Hono's node-server serveStatic middleware allows unauthenticated attackers to bypass route-based authorization middleware by using repeated slashes (e.g., //admin/secret.txt) to access protected static files, exposing sensitive information with low confidentiality impact (CVSS 5.3).
Technical ContextAI
The vulnerability exploits a discrepancy in how HTTP request paths are processed by different layers in Hono's node-server package (CPE: pkg:npm/@hono_node-server). Route-based middleware uses strict path matching that fails to recognize paths with repeated forward slashes as matching the protected route pattern (e.g., /admin/*), while the serveStatic middleware normalizes these paths and serves the files. This is a classic path traversal variant (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) where the restriction mechanism (route-based middleware) and the file access mechanism (serveStatic) operate on different normalized representations of the same path, creating a bypass. The issue affects applications relying on middleware-based access control without proper path normalization enforcement at the routing layer.
RemediationAI
Upgrade @hono/node-server to version 1.19.13 or later, which includes the patch that normalizes path handling consistency between the routing layer and serveStatic middleware. The fix is available in the GitHub repository at https://github.com/honojs/node-server/releases/tag/v1.19.13. No workarounds are documented; patching is the primary remediation. For applications unable to upgrade immediately, implement explicit path normalization at the application level or use a dedicated static file serving proxy with consistent path handling before requests reach Hono routing layers. Refer to the official security advisory at https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m for additional context.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20491
GHSA-92pp-h63x-v22m