CVE-2026-47676
Analyzed Analyzed - Analysis Complete
Path Traversal in Hono JavaScript Framework

Publication date: 2026-05-28

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-29
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-47676
EUVD
EUVD-2026-32924
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hono hono to 4.12.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Hono web application framework prior to version 4.12.21. The issue arises because app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is done against the percent-decoded path. When the path contains percent-encoded multi-byte characters, this inconsistency causes the prefix to be stripped incorrectly, resulting in the mounted sub-application receiving an incorrect path.

Impact Analysis

The vulnerability can cause the mounted sub-application to receive an incorrect path due to improper handling of percent-encoded multi-byte characters. This may lead to unexpected behavior in routing, potentially causing security issues such as incorrect resource access or bypassing intended route protections.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Hono framework to version 4.12.21 or later, where the issue with app.mount() handling of percent-encoded multi-byte characters in paths has been fixed.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability arises from the incorrect handling of percent-encoded multi-byte characters in request paths by the Hono web framework versions prior to 4.12.21. To detect if your system is affected, you can monitor HTTP requests for malformed or unexpected routing behavior in mounted sub-applications, especially when requests contain percent-encoded characters.

One approach is to send crafted HTTP requests with percent-encoded multi-byte characters in the path and observe if the mounted sub-application receives an incorrect or partial path, which may indicate the vulnerability.

Example commands using curl to test for this behavior could be:

  • curl -v 'http://yourserver/mountprefix/%E2%82%ACtest' # where %E2%82%AC is a percent-encoded multi-byte character (Euro sign)
  • curl -v 'http://yourserver/mountprefix/%F0%9F%92%A9test' # where %F0%9F%92%A9 is a percent-encoded multi-byte emoji

By analyzing server logs or application responses to these requests, you can check if the mount prefix is stripped incorrectly, leading to unexpected routing or exposure of unintended routes.

Additionally, verifying the version of the Hono framework in use and ensuring it is updated to 4.12.21 or later is a direct method to confirm if the vulnerability is present.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47676. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart