CVE-2024-23340

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-23340

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23340.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-23340

Aliases

GHSA-rjq5-w47x-x359

Related

GHSA-rjq5-w47x-x359

Published

2024-01-22T23:15:08Z

Modified

2025-07-02T00:30:37.167671Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path. However, the url in @hono/node-server's Request as does not resolve double dots, so http://localhost/static/.. /foo.txt is returned. This causes vulnerabilities when using serveStatic. Modern web browsers and a latest curl command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use serveStatic.

References

Affected packages

Git / github.com/honojs/node-server

Affected ranges

Type: GIT
Repo: https://github.com/honojs/node-server
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

dd9b9a9b23e3896403c90a740e7f1f0892feb402

Affected versions

v0.*

v0.0.1

v0.0.2

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.3.0

v0.4.0

v0.5.0

v0.5.1

v0.6.0

v1.*

v1.0.0

v1.0.0-rc.1

v1.0.1

v1.0.2

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.4.0