CVE-2026-29087

Name of the Vulnerable Software and Affected Versions @hono/node-server versions prior to 1.19.10

Description @hono/node-server allows running the Hono application on Node.js. When using static file serving with route-based middleware protections, inconsistent URL decoding can allow protected static resources to be accessed without authorization. Paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. The routing layer preserves %2F as a literal string when matching routes, while the static handler decodes %2F into / before resolving the filesystem path. This does not allow access outside the configured static root and is not a path traversal issue. An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes. Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.

Recommendations Versions prior to 1.19.10 should be updated to version 1.19.10 or later.