CVE-2026-39407
Path Traversal in Hono serveStatic Enables Middleware Bypass
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hono | hono | to 4.12.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to protected static files in your application. Attackers can exploit the path handling inconsistency by inserting repeated slashes in request paths to bypass route-based authorization middleware. This means sensitive files intended to be restricted can be accessed remotely without any privileges or user interaction, potentially exposing confidential information.
Can you explain this vulnerability to me?
This vulnerability exists in the Hono web application framework's serveStatic middleware prior to version 4.12.12. It arises from an inconsistency in how paths containing repeated slashes (//) are handled. Route-based middleware, such as those protecting routes like /admin/*, fails to match paths with repeated slashes, while serveStatic normalizes these paths and serves the corresponding static files anyway. This mismatch allows an attacker to bypass authorization middleware by requesting a path with repeated slashes, thereby gaining unauthorized access to protected static files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if requests with repeated slashes (//) in the URL path bypass route-based middleware protections and access protected static files. For example, if your application protects paths like /admin/*, sending a request to /admin//secret.txt and checking if the file is served despite middleware restrictions indicates the vulnerability.
You can use network tools like curl to test this behavior by sending crafted HTTP requests with repeated slashes in the path and observing the responses.
- curl -i http://yourserver/admin//secret.txt
- curl -i http://yourserver/admin/secret.txt
If the response to the path with repeated slashes returns the protected file while the normal path is blocked, it indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to upgrade the hono framework to version 4.12.12 or later, where the issue has been fixed.
Version 4.12.12 includes a fix that rejects request paths containing repeated slashes, ensuring consistent path normalization between route matching and static file serving, thus preventing middleware bypass.
Until you can upgrade, consider implementing additional validation or sanitization of request paths in your middleware to reject or normalize repeated slashes before route matching.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to protected static files by bypassing route-based middleware authorization due to inconsistent path handling. Such unauthorized access to sensitive files could lead to exposure of confidential or personal data.
Exposure of sensitive data through this vulnerability may impact compliance with data protection regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
Therefore, applications affected by this vulnerability and relying on the vulnerable versions of the hono framework may face increased risk of non-compliance with these standards until the issue is remediated by upgrading to version 4.12.12 or later.