Skip to main content

Hono serve-static EUVDEUVD-2026-38327

| CVE-2026-54286 MEDIUM
Path Traversal (CWE-22)
2026-06-16 https://github.com/honojs/hono GHSA-wwfh-h76j-fc44
5.9
CVSS 3.1 · Vendor: https://github.com/honojs/hono
Share

Severity by source

Vendor (https://github.com/honojs/hono) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

AC:H reflects the Windows-only platform requirement and the need for prefix-mounted middleware guarding a static subtree; confidentiality impact is High but integrity and availability are unaffected.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/honojs/hono).

CVSS VectorVendor: https://github.com/honojs/hono

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 16, 2026 - 14:53 vuln.today
Analysis Generated
Jun 16, 2026 - 14:53 vuln.today
CVE Published
Jun 16, 2026 - 14:09 github-advisory
MEDIUM 5.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 53 npm packages depend on hono (34 direct, 19 indirect)

Ecosystem-wide dependent count for version 4.12.25.

DescriptionCVE.org

Summary

On Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. Directory escape (..) remains blocked.

Details

The router splits paths only on /, so /admin%5Csecret.txt is one segment and middleware on /admin/* does not run. The serve-static guard rejects ./.. and consecutive separators but lets a lone \ through; on Windows the file resolver re-splits it into the protected subtree.

This affects Windows hosts serving static files via the Node, Bun, or Deno adapters that guard a static subtree with prefix-mounted middleware.

Impact

An unauthenticated attacker can read static files under a middleware-guarded prefix on Windows hosts. The read stays within the configured root; escape outside the root is not possible.

AnalysisAI

Static file disclosure in Hono's serve-static middleware on Windows allows unauthenticated remote attackers to read files protected behind prefix-mounted middleware by submitting a URL-encoded backslash (%5C) in the request path. Hono versions prior to 4.12.25 are affected when deployed on Windows using the Node, Bun, or Deno adapters with an auth or access-control middleware guarding a static subtree. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack primitive is trivially constructable from the public advisory.

Technical ContextAI

Hono (pkg:npm/hono) is a lightweight multi-runtime web framework. Its router tokenizes URL paths exclusively on the forward-slash delimiter ('/'), so the encoded sequence %5C (URL encoding for the backslash character '\') survives tokenization as part of a single path segment. Middleware mounted on a glob prefix such as '/admin/*' therefore never intercepts a request for '/admin%5Csecret.txt' - the router sees one opaque segment, not a nested path. The serve-static handler applies its own safety checks that correctly block dot-dot traversal ('..') and consecutive separators, but does not normalize or reject a lone backslash before passing the path to the underlying OS file resolver. On Windows, the NTFS/Win32 path resolver treats backslash as a canonical directory separator, so 'admin\secret.txt' resolves identically to 'admin/secret.txt' within the configured static root. The result is that files inside the middleware-guarded subtree are served without the protective middleware ever executing. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal) captures this root cause: insufficient normalization of platform-specific alternate separator characters before path resolution. Directory escape beyond the static root is not possible because the remaining guard logic blocks '..' sequences.

RemediationAI

Upgrade Hono to version 4.12.25 or later; this is the vendor-confirmed fixed release per the GitHub Security Advisory GHSA-wwfh-h76j-fc44 (https://github.com/honojs/hono/security/advisories/GHSA-wwfh-h76j-fc44). For teams unable to upgrade immediately, a targeted workaround is to add explicit middleware or a custom request hook that normalizes incoming URL paths by decoding percent-encoded characters and rejecting or rewriting any path containing a backslash before routing occurs - this eliminates the separator ambiguity before Hono's router tokenizes the path. A simpler interim control is to migrate protected assets out of the static root entirely and serve them through explicit route handlers that perform authorization checks directly, removing the dependency on middleware ordering. Note that simply adding a second middleware layer after serve-static does not help, as the issue is that the protective middleware is bypassed entirely. If files in the guarded path are not legitimately needed by unauthenticated users under any circumstance, restricting the application to non-Windows deployment environments is also an effective workaround with no functional trade-offs for cross-platform teams.

Share

EUVD-2026-38327 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy