CVE-2026-29045
HIGH7.5EPSS 0.05%Hono vulnerable to arbitrary file access via serveStatic vulnerability
Description
## Summary When using `serveStatic` together with route-based middleware protections (e.g. `app.use('/admin/*', ...)`), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used `decodeURI`, while `serveStatic` used `decodeURIComponent`. This mismatch allowed paths containing encoded slashes (`%2F`) to bypass middleware protections while still resolving to the intended filesystem path. ## Details The routing layer preserved `%2F` as a literal string, while `serveStatic` decoded it into `/` before resolving the file path. Example: Request: `/admin%2Fsecret.html` - Router sees: `/admin%2Fsecret.html` → does not match `/admin/*` - Static handler resolves: `/admin/secret.html` As a result, static files under the configured static root could be served without triggering route-based protections. This only affects applications that both: - Protect subpaths using route-based middleware, and - Serve files from the same static root using `serveStatic`. This does **not** allow access outside the static root and is **not** a path traversal vulnerability. ## Impact An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes. Applications relying solely on route-based middleware to protect static subpaths may have exposed those resources.
Affected packages (1)
- npm/honofrom 0, < 4.12.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |