Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Hono: Access to protected files by manipulating request path with repeated slashes
GHSA-wmmm-f939-6g9c
CVE-2026-39407
Summary
Hono, a middleware, has a bug that allows attackers to access protected files by using multiple slashes in the request path, which can lead to unauthorized access to sensitive files. This affects applications that use Hono with route-based middleware for access control. To fix this issue, ensure that your application is updated to the latest version of Hono, which rejects paths with repeated slashes.
What to do
- Update yusukebe hono to version 4.12.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| yusukebe | hono | <= 4.12.12 | 4.12.12 |
Original title
Hono: Middleware bypass via repeated slashes in serveStatic
Original description
## Summary
A path handling inconsistency in `serveStatic` allows protected static files to be accessed by using repeated slashes (`//`) in the request path.
When route-based middleware (e.g., `/admin/*`) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.
## Details
The routing layer and `serveStatic` handle repeated slashes differently.
For example:
```
/admin/secret.txt => matches /admin/*
/admin//secret.txt => may not match /admin/*
```
However, `serveStatic` may interpret both paths as the same file location (e.g., `admin/secret.txt`) and return the file.
This inconsistency allows a request such as:
```
GET //admin/secret.txt
```
to bypass middleware registered on `/admin/*` and access protected files.
The issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution.
## Impact
An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.
This can lead to unauthorized access to sensitive files under the static root.
This issue affects applications that rely on serveStatic together with route-based middleware for access control.
A path handling inconsistency in `serveStatic` allows protected static files to be accessed by using repeated slashes (`//`) in the request path.
When route-based middleware (e.g., `/admin/*`) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.
## Details
The routing layer and `serveStatic` handle repeated slashes differently.
For example:
```
/admin/secret.txt => matches /admin/*
/admin//secret.txt => may not match /admin/*
```
However, `serveStatic` may interpret both paths as the same file location (e.g., `admin/secret.txt`) and return the file.
This inconsistency allows a request such as:
```
GET //admin/secret.txt
```
to bypass middleware registered on `/admin/*` and access protected files.
The issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution.
## Impact
An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.
This can lead to unauthorized access to sensitive files under the static root.
This issue affects applications that rely on serveStatic together with route-based middleware for access control.
ghsa CVSS3.1
5.3
Vulnerability type
CWE-22
Path Traversal
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026