CVE-2024-23340

Name of the Vulnerable Software and Affected Versions @hono/node-server versions 1.3.0 through 1.4.0

Description The issue arises from the url behavior in @hono/node-server's Request object, which does not resolve "double dots" (..) in URLs, potentially leading to vulnerabilities when using serveStatic. This behavior differs from the standard API, where URLs containing .. are resolved to their actual path. For example, http://localhost/static/.. /foo.txt is returned instead of being resolved to http://localhost/foo.txt. This issue may not affect users accessing the application through modern web browsers or the latest curl command, as these tools resolve double dots on the client side. However, problems can occur if the application is accessed by a client that does not resolve double dots.

Recommendations For versions 1.3.0 through 1.4.0, update to version 1.4.1, which includes the fix for this issue. As a temporary workaround for affected versions, do not use serveStatic.