Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Apache Hono allows unauthorized access to protected files
CVE-2026-29045
GHSA-q5qw-h33p-qvwr
GHSA-q5qw-h33p-qvwr
Summary
Apache Hono has a bug that lets attackers access files they shouldn't see by using special characters in the URL. If you're using Hono to protect certain files with route-based middleware, you may need to update your setup to prevent unauthorized access. Check your configuration and consider upgrading to a fixed version of Hono.
What to do
- Update hono to version 4.12.4.
- Update yusukebe hono to version 4.12.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | hono | <= 4.12.4 | 4.12.4 |
| yusukebe | hono | <= 4.12.4 | 4.12.4 |
| hono | hono | <= 4.12.4 | – |
Original title
Hono vulnerable to arbitrary file access via serveStatic vulnerability
Original description
## Summary
When using `serveStatic` together with route-based middleware protections (e.g. `app.use('/admin/*', ...)`), inconsistent URL decoding allowed protected static resources to be accessed without authorization.
The router used `decodeURI`, while `serveStatic` used `decodeURIComponent`. This mismatch allowed paths containing encoded slashes (`%2F`) to bypass middleware protections while still resolving to the intended filesystem path.
## Details
The routing layer preserved `%2F` as a literal string, while `serveStatic` decoded it into `/` before resolving the file path.
Example:
Request: `/admin%2Fsecret.html`
- Router sees: `/admin%2Fsecret.html` → does not match `/admin/*`
- Static handler resolves: `/admin/secret.html`
As a result, static files under the configured static root could be served without triggering route-based protections.
This only affects applications that both:
- Protect subpaths using route-based middleware, and
- Serve files from the same static root using `serveStatic`.
This does **not** allow access outside the static root and is **not** a path traversal vulnerability.
## Impact
An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes.
Applications relying solely on route-based middleware to protect static subpaths may have exposed those resources.
When using `serveStatic` together with route-based middleware protections (e.g. `app.use('/admin/*', ...)`), inconsistent URL decoding allowed protected static resources to be accessed without authorization.
The router used `decodeURI`, while `serveStatic` used `decodeURIComponent`. This mismatch allowed paths containing encoded slashes (`%2F`) to bypass middleware protections while still resolving to the intended filesystem path.
## Details
The routing layer preserved `%2F` as a literal string, while `serveStatic` decoded it into `/` before resolving the file path.
Example:
Request: `/admin%2Fsecret.html`
- Router sees: `/admin%2Fsecret.html` → does not match `/admin/*`
- Static handler resolves: `/admin/secret.html`
As a result, static files under the configured static root could be served without triggering route-based protections.
This only affects applications that both:
- Protect subpaths using route-based middleware, and
- Serve files from the same static root using `serveStatic`.
This does **not** allow access outside the static root and is **not** a path traversal vulnerability.
## Impact
An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes.
Applications relying solely on route-based middleware to protect static subpaths may have exposed those resources.
nvd CVSS3.1
9.8
Vulnerability type
CWE-177
- https://nvd.nist.gov/vuln/detail/CVE-2026-29045
- https://github.com/advisories/GHSA-q5qw-h33p-qvwr
- https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3 Patch
- https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr Vendor Advisory
- https://github.com/honojs/hono Product
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026