Skip to main content

EUVDEUVD-2026-20491

| CVE-2026-39406 MEDIUM
Path Traversal (CWE-22)
2026-04-08 https://github.com/honojs/node-server GHSA-92pp-h63x-v22m
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 00:30 euvd
EUVD-2026-20491
Analysis Generated
Apr 08, 2026 - 00:30 vuln.today
Patch released
Apr 08, 2026 - 00:30 nvd
Patch available
CVE Published
Apr 08, 2026 - 00:16 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 75 npm packages depend on @hono/node-server (26 direct, 49 indirect)

Ecosystem-wide dependent count for version 1.19.13.

DescriptionGitHub Advisory

Summary

A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.

When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.

Details

The routing layer and serveStatic handle repeated slashes differently.

For example:

  • /admin/secret.txt => matches /admin/*
  • //admin/secret.txt => may not match /admin/*

This inconsistency allows a request such as:

GET //admin/secret.txt

to bypass middleware registered on /admin/* and access protected files.

Impact

An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.

This can lead to unauthorized access to sensitive files under the static root.

This issue affects applications that rely on serveStatic together with route-based middleware for access control.

AnalysisAI

Path normalization inconsistency in Hono's node-server serveStatic middleware allows unauthenticated attackers to bypass route-based authorization middleware by using repeated slashes (e.g., //admin/secret.txt) to access protected static files, exposing sensitive information with low confidentiality impact (CVSS 5.3).

Technical ContextAI

The vulnerability exploits a discrepancy in how HTTP request paths are processed by different layers in Hono's node-server package (CPE: pkg:npm/@hono_node-server). Route-based middleware uses strict path matching that fails to recognize paths with repeated forward slashes as matching the protected route pattern (e.g., /admin/*), while the serveStatic middleware normalizes these paths and serves the files. This is a classic path traversal variant (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) where the restriction mechanism (route-based middleware) and the file access mechanism (serveStatic) operate on different normalized representations of the same path, creating a bypass. The issue affects applications relying on middleware-based access control without proper path normalization enforcement at the routing layer.

RemediationAI

Upgrade @hono/node-server to version 1.19.13 or later, which includes the patch that normalizes path handling consistency between the routing layer and serveStatic middleware. The fix is available in the GitHub repository at https://github.com/honojs/node-server/releases/tag/v1.19.13. No workarounds are documented; patching is the primary remediation. For applications unable to upgrade immediately, implement explicit path normalization at the application level or use a dedicated static file serving proxy with consistent path handling before requests reach Hono routing layers. Refer to the official security advisory at https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m for additional context.

Share

EUVD-2026-20491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy