CVE-2026-39407

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.12

Description A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. For example, a request like GET //admin/secret.txt can bypass middleware registered on /admin/* and access protected files. The routing layer and serveStatic handle repeated slashes differently.

Recommendations Update to version 4.12.12 or later.