EUVD-2026-20493
GHSA-wmmm-f939-6g9c
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Description
## Summary A path handling inconsistency in `serveStatic` allows protected static files to be accessed by using repeated slashes (`//`) in the request path. When route-based middleware (e.g., `/admin/*`) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. ## Details The routing layer and `serveStatic` handle repeated slashes differently. For example: ``` /admin/secret.txt => matches /admin/* /admin//secret.txt => may not match /admin/* ``` However, `serveStatic` may interpret both paths as the same file location (e.g., `admin/secret.txt`) and return the file. This inconsistency allows a request such as: ``` GET //admin/secret.txt ``` to bypass middleware registered on `/admin/*` and access protected files. The issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution. ## Impact An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path. This can lead to unauthorized access to sensitive files under the static root. This issue affects applications that rely on serveStatic together with route-based middleware for access control.
Analysis
Middleware bypass in Hono's serveStatic allows unauthenticated remote attackers to access protected static files by using repeated slashes in request paths, exploiting inconsistent path handling between the routing layer and static file resolution. The vulnerability affects Hono applications that rely on route-based middleware for access control, enabling unauthorized disclosure of sensitive files. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today