CVE-2026-29087
Authorization Bypass via URL Decoding in @hono/node-server Static Files
Publication date: 2026-03-06
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hono | node-server | to 1.19.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the @hono/node-server package to version 1.19.10 or later, where this vulnerability has been patched.
The patch includes safer URI decoding, path traversal protections, and fixes to ensure that route-based middleware protections cannot be bypassed by encoded slashes in URLs.
Until the upgrade is applied, consider implementing additional access control checks directly in the static file serving layer or avoid relying solely on route-based middleware for protecting static resources.
Can you explain this vulnerability to me?
CVE-2026-29087 is an authorization bypass vulnerability in the @hono/node-server package prior to version 1.19.10. It occurs when static file serving is used together with route-based middleware protections, such as protecting paths like /admin/*. The issue arises because the routing layer and the static file handler decode URLs inconsistently. Specifically, encoded slashes (%2F) are treated differently: the router treats them as literal strings and does not match the protected route, while the static file handler decodes %2F into a slash (/) and serves the file. This discrepancy allows an attacker to access protected static resources without triggering the authorization middleware.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of protected static files. If your application relies solely on route-based middleware for access control under the same static root, attackers can bypass these protections by crafting requests with encoded slashes (%2F). This allows them to access sensitive files that should be restricted, without needing any privileges or user interaction. The vulnerability can be exploited remotely over the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if requests with encoded slashes (%2F) in URLs bypass route-based middleware protections and access protected static files without authorization.
For example, you can attempt to access a protected resource normally and then with an encoded slash in the path to see if the authorization middleware is bypassed.
- Send a request to a protected path like /admin/secret.txt with proper authorization headers and verify access is granted.
- Send a request to the same resource but with an encoded slash in the path, e.g., /admin%2Fsecret.txt, and check if the file is served without authorization.
If the second request returns the protected file without requiring authorization, the system is vulnerable.
No specific commands are provided in the resources, but using tools like curl or HTTP clients to craft such requests can help detect the issue.