CVE-2026-29045

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.4

Description Hono is a Web application framework supporting various JavaScript runtimes. An inconsistency in URL decoding between the router (decodeURI) and serveStatic (decodeURIComponent) allowed protected static resources to be accessed without authorization when using route-based middleware protections, such as app.use('/admin/*', ...). Specifically, paths containing encoded slashes (%2F) bypassed middleware protections while still resolving to the intended filesystem path. The router treated %2F as a literal string, while serveStatic decoded it to / before resolving the file path. This issue does not allow access outside the static root and is not a path traversal issue. An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes. This affects applications that both protect subpaths using route-based middleware and serve files from the same static root using serveStatic.

Recommendations Versions prior to 4.12.4 should be updated to version 4.12.4 or later.