GHSA-wwfh-h76j-fc44

Suggest an improvement
Source
https://github.com/advisories/GHSA-wwfh-h76j-fc44
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wwfh-h76j-fc44/GHSA-wwfh-h76j-fc44.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wwfh-h76j-fc44
Aliases
  • CVE-2026-54286
Downstream
Related
Published
2026-06-16T14:09:03Z
Modified
2026-06-17T17:59:20.280479230Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
Details

Summary

On Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. Directory escape (..) remains blocked.

Details

The router splits paths only on /, so /admin%5Csecret.txt is one segment and middleware on /admin/* does not run. The serve-static guard rejects ./.. and consecutive separators but lets a lone \ through; on Windows the file resolver re-splits it into the protected subtree.

This affects Windows hosts serving static files via the Node, Bun, or Deno adapters that guard a static subtree with prefix-mounted middleware.

Impact

An unauthenticated attacker can read static files under a middleware-guarded prefix on Windows hosts. The read stays within the configured root; escape outside the root is not possible.

Database specific
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed_at": "2026-06-16T14:09:03Z",
    "github_reviewed": true
}
References

Affected packages

npm / hono

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.12.25

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wwfh-h76j-fc44/GHSA-wwfh-h76j-fc44.json"