GHSA-q5qw-h33p-qvwr

Source

https://github.com/advisories/GHSA-q5qw-h33p-qvwr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q5qw-h33p-qvwr/GHSA-q5qw-h33p-qvwr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q5qw-h33p-qvwr

Aliases

CVE-2026-29045

Downstream

MINI-8c2j-564f-3qgx

Published

2026-03-04T19:48:00Z

Modified

2026-03-05T15:34:51.614741Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Hono vulnerable to arbitrary file access via serveStatic vulnerability

Details

Summary

When using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization.

The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path.

Details

The routing layer preserved %2F as a literal string, while serveStatic decoded it into / before resolving the file path.

Example:

Request: /admin%2Fsecret.html

Router sees: /admin%2Fsecret.html → does not match /admin/*
Static handler resolves: /admin/secret.html

As a result, static files under the configured static root could be served without triggering route-based protections.

This only affects applications that both:

Protect subpaths using route-based middleware, and
Serve files from the same static root using serveStatic.

This does not allow access outside the static root and is not a path traversal vulnerability.

Impact

An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes.

Applications relying solely on route-based middleware to protect static subpaths may have exposed those resources.

Database specific

{
    "nvd_published_at": "2026-03-04T23:16:10Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T19:48:00Z",
    "cwe_ids": [
        "CWE-177"
    ]
}

References

Affected packages

npm / hono

Package

Name: hono; View open source insights on deps.dev
Purl: pkg:npm/hono

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.12.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q5qw-h33p-qvwr/GHSA-q5qw-h33p-qvwr.json"