PT-2026-44416 · Hono · Hono
Rootingg
·
Published
2026-05-28
·
Updated
2026-05-29
·
CVE-2026-47676
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Hono versions prior to 4.12.21
Description
In the
app.mount() function, the mount prefix is stripped from the incoming request path using the raw URL pathname, whereas route matching is conducted against the percent-decoded path. This inconsistency leads to the prefix being removed from the incorrect position when the path includes percent-encoded multi-byte characters, causing the mounted sub-application to receive an incorrect path.Recommendations
Update to version 4.12.21.
Fix
HTTP Request/Response Smuggling
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Hono