GHSA-w332-q679-j88p

Suggest an improvement
Source
https://github.com/advisories/GHSA-w332-q679-j88p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-w332-q679-j88p/GHSA-w332-q679-j88p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w332-q679-j88p
Aliases
Published
2026-01-27T19:09:01Z
Modified
2026-01-27T19:26:17.038212Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
Details

Summary

Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys.

Details

The vulnerability exists in the serve-static middleware used with the Cloudflare Workers adapter. When serving static assets, the middleware does not sufficiently validate or restrict user-supplied paths before resolving them against the Workers asset storage.

As a result, an attacker may craft requests that access arbitrary keys beyond the intended static asset scope. This issue only affects applications running on Cloudflare Workers that use Serve static Middleware with user-controllable request paths.

Impact

This vulnerability may lead to information disclosure by allowing unauthorized access to internal assets or data stored in the Workers environment. The exposed data is limited to readable asset keys and does not allow modification of stored data or execution of arbitrary code.

The impact is limited to applications that use Serve static Middleware in the Cloudflare Workers adapter and rely on it to safely handle untrusted request paths.

Affected Components

  • Serve static Middleware (Cloudflare Workers adapter)
Database specific 
{
    "cwe_ids": [
        "CWE-200",
        "CWE-284",
        "CWE-668"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null,
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-27T19:09:01Z"
}
References

Affected packages

npm / hono

Package

Name
hono
View open source insights on deps.dev
Purl
pkg:npm/hono

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.11.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-w332-q679-j88p/GHSA-w332-q679-j88p.json"