Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities found for node-server by hono
CVE-2026-39406 (GCVE-0-2026-39406)
Vulnerability from nvd – Published: 2026-04-08 14:34 – Updated: 2026-04-08 15:17
VLAI?
Title
@hono/node-server has a middleware bypass via repeated slashes in serveStatic
Summary
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
< 1.19.13
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T15:17:32.143505Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T15:17:38.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T14:34:30.543Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m"
}
],
"source": {
"advisory": "GHSA-92pp-h63x-v22m",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server has a middleware bypass via repeated slashes in serveStatic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39406",
"datePublished": "2026-04-08T14:34:30.543Z",
"dateReserved": "2026-04-07T00:23:30.594Z",
"dateUpdated": "2026-04-08T15:17:38.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29087 (GCVE-0-2026-29087)
Vulnerability from nvd – Published: 2026-03-06 17:03 – Updated: 2026-03-06 18:02
VLAI?
Title
@hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
Summary
@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.
Severity ?
7.5 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
< 1.19.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T17:58:30.981713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:02:36.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server\u0027s static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T17:03:30.412Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6"
},
{
"name": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e"
}
],
"source": {
"advisory": "GHSA-wc8c-qw6v-h7f6",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29087",
"datePublished": "2026-03-06T17:03:30.412Z",
"dateReserved": "2026-03-03T20:51:43.484Z",
"dateUpdated": "2026-03-06T18:02:36.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32652 (GCVE-0-2024-32652)
Vulnerability from nvd – Published: 2024-04-19 18:29 – Updated: 2024-08-02 02:13
VLAI?
Title
@hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed
Summary
The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue.
Severity ?
7.5 (High)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
>= 1.3.0, < 1.10.1
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "node-server",
"vendor": "hono",
"versions": [
{
"lessThan": "1.10.1",
"status": "affected",
"version": "1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32652",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T14:58:57.373374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:52:02.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
},
{
"name": "https://github.com/honojs/node-server/issues/159",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"name": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 1.10.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can\u0027t handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T18:29:42.857Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
},
{
"name": "https://github.com/honojs/node-server/issues/159",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"name": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
}
],
"source": {
"advisory": "GHSA-hgxw-5xg3-69jx",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32652",
"datePublished": "2024-04-19T18:29:42.857Z",
"dateReserved": "2024-04-16T14:15:26.876Z",
"dateUpdated": "2024-08-02T02:13:40.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23340 (GCVE-0-2024-23340)
Vulnerability from nvd – Published: 2024-01-22 23:00 – Updated: 2025-05-30 14:21
VLAI?
Title
@hono/node-server can't handle "double dots" in URL
Summary
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
>= 1.3.0, < 1.4.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
},
{
"name": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"name": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23340",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:34:31.017406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:21:51.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 1.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server\u0027s Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn\u0027t affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don\u0027t use `serveStatic`.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-22T23:00:34.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
},
{
"name": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"name": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
}
],
"source": {
"advisory": "GHSA-rjq5-w47x-x359",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server can\u0027t handle \"double dots\" in URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23340",
"datePublished": "2024-01-22T23:00:34.510Z",
"dateReserved": "2024-01-15T15:19:19.444Z",
"dateUpdated": "2025-05-30T14:21:51.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-39406 (GCVE-0-2026-39406)
Vulnerability from cvelistv5 – Published: 2026-04-08 14:34 – Updated: 2026-04-08 15:17
VLAI?
Title
@hono/node-server has a middleware bypass via repeated slashes in serveStatic
Summary
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
< 1.19.13
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T15:17:32.143505Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T15:17:38.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T14:34:30.543Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m"
}
],
"source": {
"advisory": "GHSA-92pp-h63x-v22m",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server has a middleware bypass via repeated slashes in serveStatic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39406",
"datePublished": "2026-04-08T14:34:30.543Z",
"dateReserved": "2026-04-07T00:23:30.594Z",
"dateUpdated": "2026-04-08T15:17:38.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29087 (GCVE-0-2026-29087)
Vulnerability from cvelistv5 – Published: 2026-03-06 17:03 – Updated: 2026-03-06 18:02
VLAI?
Title
@hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
Summary
@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.
Severity ?
7.5 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
< 1.19.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T17:58:30.981713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:02:36.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server\u0027s static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T17:03:30.412Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6"
},
{
"name": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e"
}
],
"source": {
"advisory": "GHSA-wc8c-qw6v-h7f6",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29087",
"datePublished": "2026-03-06T17:03:30.412Z",
"dateReserved": "2026-03-03T20:51:43.484Z",
"dateUpdated": "2026-03-06T18:02:36.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32652 (GCVE-0-2024-32652)
Vulnerability from cvelistv5 – Published: 2024-04-19 18:29 – Updated: 2024-08-02 02:13
VLAI?
Title
@hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed
Summary
The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue.
Severity ?
7.5 (High)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
>= 1.3.0, < 1.10.1
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "node-server",
"vendor": "hono",
"versions": [
{
"lessThan": "1.10.1",
"status": "affected",
"version": "1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32652",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T14:58:57.373374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:52:02.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
},
{
"name": "https://github.com/honojs/node-server/issues/159",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"name": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 1.10.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can\u0027t handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T18:29:42.857Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
},
{
"name": "https://github.com/honojs/node-server/issues/159",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"name": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
}
],
"source": {
"advisory": "GHSA-hgxw-5xg3-69jx",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32652",
"datePublished": "2024-04-19T18:29:42.857Z",
"dateReserved": "2024-04-16T14:15:26.876Z",
"dateUpdated": "2024-08-02T02:13:40.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23340 (GCVE-0-2024-23340)
Vulnerability from cvelistv5 – Published: 2024-01-22 23:00 – Updated: 2025-05-30 14:21
VLAI?
Title
@hono/node-server can't handle "double dots" in URL
Summary
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
>= 1.3.0, < 1.4.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
},
{
"name": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"name": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23340",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:34:31.017406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:21:51.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 1.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server\u0027s Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn\u0027t affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don\u0027t use `serveStatic`.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-22T23:00:34.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
},
{
"name": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"name": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
}
],
"source": {
"advisory": "GHSA-rjq5-w47x-x359",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server can\u0027t handle \"double dots\" in URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23340",
"datePublished": "2024-01-22T23:00:34.510Z",
"dateReserved": "2024-01-15T15:19:19.444Z",
"dateUpdated": "2025-05-30T14:21:51.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2024-32652
Vulnerability from fkie_nvd - Published: 2024-04-19 19:15 - Updated: 2025-09-17 20:33
Severity ?
Summary
The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hono | node-server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "9C7B1055-D37F-4978-8A0A-A59C056190CF",
"versionEndExcluding": "1.10.1",
"versionStartIncluding": "1.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can\u0027t handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue."
},
{
"lang": "es",
"value": "El adaptador @hono/node-server le permite ejecutar su aplicaci\u00f3n Hono en Node.js. Antes de 1.10.1, la aplicaci\u00f3n se bloquea cuando recibe un encabezado de Host con un valor que `@hono/node-server` no puede manejar bien. Los valores no v\u00e1lidos son aquellos que la \"URL\" no puede analizar como un nombre de host, como una cadena vac\u00eda, barras diagonales \"/\" y otras cadenas. La versi\u00f3n 1.10.1 incluye la soluci\u00f3n para este problema."
}
],
"id": "CVE-2024-32652",
"lastModified": "2025-09-17T20:33:36.173",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-04-19T19:15:07.067",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-23340
Vulnerability from fkie_nvd - Published: 2024-01-22 23:15 - Updated: 2024-11-21 08:57
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hono | node-server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "050ADA00-CAFF-4B7D-AB88-92F4196D1289",
"versionEndExcluding": "1.4.1",
"versionStartIncluding": "1.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server\u0027s Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn\u0027t affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don\u0027t use `serveStatic`.\n\n"
},
{
"lang": "es",
"value": "@hono/node-server es un adaptador que permite a los usuarios ejecutar aplicaciones Hono en Node.js. Desde v1.3.0, @hono/node-server ha utilizado su propio objeto Request con un comportamiento de `url` inesperado. En la API est\u00e1ndar, si la URL contiene `..`, aqu\u00ed denominada \"puntos dobles\", la cadena de URL devuelta por la Solicitud estar\u00e1 en la ruta resuelta. Sin embargo, la `url` en la solicitud de @hono/node-server no resuelve los puntos dobles, por lo que se devuelve `http://localhost/static/.. /foo.txt`. Esto provoca vulnerabilidades al utilizar `serveStatic`. Los navegadores web modernos y el \u00faltimo comando `curl` resuelven los puntos dobles en el lado del cliente, por lo que este problema no afecta a quienes utilizan cualquiera de esas herramientas. Sin embargo, pueden ocurrir problemas si accede un cliente que no los resuelve. La versi\u00f3n 1.4.1 incluye el cambio para solucionar este problema. Como workaround, no utilice \"serveStatic\"."
}
],
"id": "CVE-2024-23340",
"lastModified": "2024-11-21T08:57:32.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-22T23:15:08.637",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}