Yusukebe

**Name of the Vulnerable Software and Affected Versions** @hono/node-server versions prior to 1.10.1 **Description** The application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname, such as an empty string, slashes `/`, and other strings. **Recommendations** For versions prior to 1.10.1, update to version 1.10.1 or later to resolve the issue. It is recommended to use version 1.11.0, which includes additional fixes related to this issue.

**Name of the Vulnerable Software and Affected Versions** @hono/node-server versions 1.3.0 through 1.4.0 **Description** The issue arises from the `url` behavior in @hono/node-server's Request object, which does not resolve "double dots" (`..`) in URLs, potentially leading to vulnerabilities when using `serveStatic`. This behavior differs from the standard API, where URLs containing `..` are resolved to their actual path. For example, `http://localhost/static/.. /foo.txt` is returned instead of being resolved to `http://localhost/foo.txt`. This issue may not affect users accessing the application through modern web browsers or the latest `curl` command, as these tools resolve double dots on the client side. However, problems can occur if the application is accessed by a client that does not resolve double dots. **Recommendations** For versions 1.3.0 through 1.4.0, update to version 1.4.1, which includes the fix for this issue. As a temporary workaround for affected versions, do not use `serveStatic`.

**Name of the Vulnerable Software and Affected Versions** Hono versions prior to 3.11.7 **Description** The issue allows clients to override named path parameter values from previous requests when the application is using TrieRouter. This poses a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. **Recommendations** For versions prior to 3.11.7, update to version 3.11.7 to fix the issue. As a temporary workaround, avoid using TrieRouter directly.