CVE-2026-39407
Received Received - Intake
Path Traversal in Hono serveStatic Enables Middleware Bypass

Publication date: 2026-04-08

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-39407
EUVD
EUVD-2026-20493
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hono hono to 4.12.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can lead to unauthorized access to protected static files in your application. Attackers can exploit the path handling inconsistency by inserting repeated slashes in request paths to bypass route-based authorization middleware. This means sensitive files intended to be restricted can be accessed remotely without any privileges or user interaction, potentially exposing confidential information.

Executive Summary

This vulnerability exists in the Hono web application framework's serveStatic middleware prior to version 4.12.12. It arises from an inconsistency in how paths containing repeated slashes (//) are handled. Route-based middleware, such as those protecting routes like /admin/*, fails to match paths with repeated slashes, while serveStatic normalizes these paths and serves the corresponding static files anyway. This mismatch allows an attacker to bypass authorization middleware by requesting a path with repeated slashes, thereby gaining unauthorized access to protected static files.

Detection Guidance

This vulnerability can be detected by testing if requests with repeated slashes (//) in the URL path bypass route-based middleware protections and access protected static files. For example, if your application protects paths like /admin/*, sending a request to /admin//secret.txt and checking if the file is served despite middleware restrictions indicates the vulnerability.

You can use network tools like curl to test this behavior by sending crafted HTTP requests with repeated slashes in the path and observing the responses.

  • curl -i http://yourserver/admin//secret.txt
  • curl -i http://yourserver/admin/secret.txt

If the response to the path with repeated slashes returns the protected file while the normal path is blocked, it indicates the vulnerability is present.

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade the hono framework to version 4.12.12 or later, where the issue has been fixed.

Version 4.12.12 includes a fix that rejects request paths containing repeated slashes, ensuring consistent path normalization between route matching and static file serving, thus preventing middleware bypass.

Until you can upgrade, consider implementing additional validation or sanitization of request paths in your middleware to reject or normalize repeated slashes before route matching.

Compliance Impact

This vulnerability allows unauthorized access to protected static files by bypassing route-based middleware authorization due to inconsistent path handling. Such unauthorized access to sensitive files could lead to exposure of confidential or personal data.

Exposure of sensitive data through this vulnerability may impact compliance with data protection regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Therefore, applications affected by this vulnerability and relying on the vulnerable versions of the hono framework may face increased risk of non-compliance with these standards until the issue is remediated by upgrading to version 4.12.12 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39407. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart