CVE-2026-39406
Path Traversal Middleware Bypass in @hono/node-server Prior to
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hono | node-server | to 1.19.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the @hono/node-server package to version 1.19.13 or later, where the issue with path normalization and middleware bypass has been fixed.
Until the upgrade can be applied, consider implementing additional validation or normalization of request paths to prevent repeated slashes from bypassing route-based middleware.
Also, review and test your route-based middleware to ensure it correctly handles and normalizes paths with repeated slashes.
Can you explain this vulnerability to me?
CVE-2026-39406 is a moderate severity vulnerability in the @hono/node-server package before version 1.19.13. It involves an inconsistency in how repeated slashes (//) in request paths are handled between the routing middleware and the serveStatic middleware.
Specifically, route-based middleware (such as routes matching /admin/*) does not recognize paths containing repeated slashes and therefore fails to apply authorization checks. Meanwhile, serveStatic normalizes these paths and serves the requested static files.
This mismatch allows an attacker to bypass middleware protections by crafting requests with repeated slashes (for example, GET //admin/secret.txt), gaining unauthorized access to protected static files.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass route-based authorization middleware and access protected static files without proper permission.
Since no privileges or user interaction are required, an attacker can remotely exploit this issue by sending specially crafted requests with repeated slashes in the URL path.
The impact is limited to unauthorized read access to protected files, which could lead to exposure of sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if requests with repeated slashes (//) in the path bypass route-based middleware protections and access protected static files.
For example, you can attempt to access a protected resource by sending HTTP requests with repeated slashes in the URL path, such as:
- curl -i http://yourserver//admin/secret.txt
- curl -i http://yourserver//protected/path/file
If these requests return the protected files without proper authorization, it indicates the presence of the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to protected static files by bypassing route-based middleware authorization due to inconsistent path handling. Such unauthorized access to protected files could lead to exposure of sensitive or confidential information.
As a result, organizations using affected versions of @hono/node-server might face challenges in maintaining compliance with data protection regulations and standards like GDPR or HIPAA, which require strict access controls to protect personal or sensitive data.
The vulnerability's confidentiality impact is rated as low, indicating unauthorized read access, which could still be significant depending on the nature of the protected files.