CVE-2026-29087
HIGH7.5EPSS 0.02%@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
Description
## Summary When using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting `/admin/*`), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (`%2F`) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. ## Details The routing layer and the node-server static handler normalize request paths differently. The router preserves `%2F` as a literal string when matching routes, while the static handler decodes `%2F` into `/` before resolving the filesystem path. Example request: - `/admin%2Fsecret.html` This may: - fail to match middleware intended for `/admin/*`, but - still be resolved by the static handler as `/admin/secret.html` under the configured static root. This does not allow access outside the configured static root and is not a path traversal vulnerability. ## Impact An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes. Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.
Affected packages (1)
- npm/@hono/node-serverfrom 0, < 1.19.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |