Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 64 npm packages depend on hono (48 direct, 16 indirect)
Ecosystem-wide dependent count for version 4.12.12.
DescriptionGitHub Advisory
Summary
A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.
When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.
Details
The routing layer and serveStatic handle repeated slashes differently.
For example:
/admin/secret.txt => matches /admin/*
/admin//secret.txt => may not match /admin/*However, serveStatic may interpret both paths as the same file location (e.g., admin/secret.txt) and return the file.
This inconsistency allows a request such as:
GET //admin/secret.txtto bypass middleware registered on /admin/* and access protected files.
The issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution.
Impact
An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.
This can lead to unauthorized access to sensitive files under the static root.
This issue affects applications that rely on serveStatic together with route-based middleware for access control.
AnalysisAI
Middleware bypass in Hono's serveStatic allows unauthenticated remote attackers to access protected static files by using repeated slashes in request paths, exploiting inconsistent path handling between the routing layer and static file resolution. The vulnerability affects Hono applications that rely on route-based middleware for access control, enabling unauthorized disclosure of sensitive files. Vendor-released patch available in version 4.12.12.
Technical ContextAI
Hono is a lightweight JavaScript web framework. The vulnerability stems from a path normalization inconsistency (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) where the routing engine and the serveStatic middleware interpret repeated forward slashes differently. The router may not match paths containing // patterns against wildcard routes like /admin/*, while the serveStatic handler resolves both normalized and non-normalized paths to the same file location. For example, a request to GET //admin/secret.txt bypasses the /admin/* middleware rule because the router does not match the path with leading double slashes, but serveStatic normalizes the path and serves the file. This occurs because path normalization happens at different stages of request processing, creating an authentication bypass window where protected resources become accessible.
RemediationAI
Upgrade Hono to version 4.12.12 or later, which includes a fix that rejects paths containing repeated slashes, ensuring consistent path normalization between the routing layer and serveStatic middleware. This fix prevents the middleware bypass by guaranteeing that paths with // patterns are either rejected outright or normalized before routing decisions are made. Apply the patch immediately to all applications using Hono with route-based access control on static files. See vendor advisory at https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c for detailed upgrade guidance.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20493
GHSA-wmmm-f939-6g9c