PT-2026-31280 · Unknown · @Hono/Node-Server
Published
2026-04-08
·
Updated
2026-05-18
·
CVE-2026-39406
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
@hono/node-server versions prior to 1.19.13
Description
A path handling inconsistency in
serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths, leading to a middleware bypass. An attacker can access static files intended to be protected by route-based middleware by using repeated slashes in the request path. This can lead to unauthorized access to sensitive files under the static root.Recommendations
Update @hono/node-server to version 1.19.13 or later.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Hono/Node-Server