CVE-2026-47676
Path Traversal in Hono JavaScript Framework
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Hono web application framework prior to version 4.12.21. The issue arises because app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is done against the percent-decoded path. When the path contains percent-encoded multi-byte characters, this inconsistency causes the prefix to be stripped incorrectly, resulting in the mounted sub-application receiving an incorrect path.
How can this vulnerability impact me? :
The vulnerability can cause the mounted sub-application to receive an incorrect path due to improper handling of percent-encoded multi-byte characters. This may lead to unexpected behavior in routing, potentially causing security issues such as incorrect resource access or bypassing intended route protections.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Hono framework to version 4.12.21 or later, where the issue with app.mount() handling of percent-encoded multi-byte characters in paths has been fixed.