Techfish-11

**Name of the Vulnerable Software and Affected Versions** Hono versions prior to 4.12.4 **Description** Hono is a Web application framework supporting various JavaScript runtimes. An inconsistency in URL decoding between the router (`decodeURI`) and `serveStatic` (`decodeURIComponent`) allowed protected static resources to be accessed without authorization when using route-based middleware protections, such as `app.use('/admin/*', ...)`. Specifically, paths containing encoded slashes (`%2F`) bypassed middleware protections while still resolving to the intended filesystem path. The router treated `%2F` as a literal string, while `serveStatic` decoded it to `/` before resolving the file path. This issue does not allow access outside the static root and is not a path traversal issue. An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes. This affects applications that both protect subpaths using route-based middleware and serve files from the same static root using `serveStatic`. **Recommendations** Versions prior to 4.12.4 should be updated to version 4.12.4 or later.