GHSA-92pp-h63x-v22m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-92pp-h63x-v22m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-92pp-h63x-v22m/GHSA-92pp-h63x-v22m.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-92pp-h63x-v22m
- Aliases
- Related
- Published
- 2026-04-08T00:16:39Z
- Modified
- 2026-04-09T00:59:09.840917042Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- @hono/node-server: Middleware bypass via repeated slashes in serveStatic
- Details
-
Summary
A path handling inconsistency in
serveStaticallows protected static files to be accessed by using repeated slashes (//) in the request path.When route-based middleware (e.g.,
/admin/*) is used for authorization, the router may not match paths containing repeated slashes, whileserveStaticresolves them as normalized paths. This can lead to a middleware bypass.Details
The routing layer and
serveStatichandle repeated slashes differently.For example:
/admin/secret.txt=> matches/admin/*//admin/secret.txt=> may not match/admin/*
This inconsistency allows a request such as:
GET //admin/secret.txtto bypass middleware registered on
/admin/*and access protected files.Impact
An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.
This can lead to unauthorized access to sensitive files under the static root.
This issue affects applications that rely on
serveStatictogether with route-based middleware for access control. - Database specific
{ "nvd_published_at": "2026-04-08T15:16:14Z", "github_reviewed": true, "github_reviewed_at": "2026-04-08T00:16:39Z", "severity": "MODERATE", "cwe_ids": [ "CWE-22" ] }- References
-
- https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m
- https://nvd.nist.gov/vuln/detail/CVE-2026-39406
- https://github.com/honojs/node-server/commit/025c30f55d589ddbe6048b151d77e904f67a8cc2
- https://github.com/honojs/node-server
- https://github.com/honojs/node-server/releases/tag/v1.19.13
Affected packages
npm / @hono/node-server
Package
- Name
- @hono/node-server
- View open source insights on deps.dev
- Purl
- pkg:npm/%40hono/node-server