GHSA-wc8c-qw6v-h7f6

When using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization.

In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served.

Details

The routing layer and the node-server static handler normalize request paths differently. The router preserves %2F as a literal string when matching routes, while the static handler decodes %2F into / before resolving the filesystem path.

Example request:

/admin%2Fsecret.html

This may: - fail to match middleware intended for /admin/*, but - still be resolved by the static handler as /admin/secret.html under the configured static root.

This does not allow access outside the configured static root and is not a path traversal vulnerability.

Impact

An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes.

Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T20:05:49Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2026-03-06T18:16:19Z"
}

References

Affected packages

npm / @hono/node-server

Package

Name: @hono/node-server; View open source insights on deps.dev
Purl: pkg:npm/%40hono/node-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.19.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wc8c-qw6v-h7f6/GHSA-wc8c-qw6v-h7f6.json"