Highyusuke

**Name of the Vulnerable Software and Affected Versions** @hono/node-server versions prior to 1.19.10 **Description** @hono/node-server allows running the Hono application on Node.js. When using static file serving with route-based middleware protections, inconsistent URL decoding can allow protected static resources to be accessed without authorization. Paths containing encoded slashes (`%2F`) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. The routing layer preserves `%2F` as a literal string when matching routes, while the static handler decodes `%2F` into `/` before resolving the filesystem path. This does not allow access outside the configured static root and is not a path traversal issue. An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes. Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources. **Recommendations** Versions prior to 1.19.10 should be updated to version 1.19.10 or later.