GHSA-wmmm-f939-6g9c

Source

https://github.com/advisories/GHSA-wmmm-f939-6g9c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wmmm-f939-6g9c/GHSA-wmmm-f939-6g9c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wmmm-f939-6g9c

Aliases

CVE-2026-39407

Downstream

MINI-j2gg-532p-r6g8

Related

CGA-f5qq-7g8r-h66w

Published

2026-04-08T00:16:45Z

Modified

2026-04-09T00:59:14.138177898Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Hono: Middleware bypass via repeated slashes in serveStatic

Details

Summary

A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.

When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.

Details

The routing layer and serveStatic handle repeated slashes differently.

For example:

/admin/secret.txt => matches /admin/*
/admin//secret.txt => may not match /admin/*

However, serveStatic may interpret both paths as the same file location (e.g., admin/secret.txt) and return the file.

This inconsistency allows a request such as:

GET //admin/secret.txt

to bypass middleware registered on /admin/* and access protected files.

The issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution.

Impact

An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.

This can lead to unauthorized access to sensitive files under the static root.

This issue affects applications that rely on serveStatic together with route-based middleware for access control.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2026-04-08T15:16:14Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed_at": "2026-04-08T00:16:45Z"
}

References

Affected packages

npm / hono

Package

Name: hono; View open source insights on deps.dev
Purl: pkg:npm/hono

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.12.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wmmm-f939-6g9c/GHSA-wmmm-f939-6g9c.json"