CVE

CVE-2026-29045

Hono: Arbitrary file access via serveStatic vulnerability

CVE

CVE-2026-29045

Hono: Arbitrary file access via serveStatic vulnerability

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.5

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29045.json, https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr, https://nvd.nist.gov/vuln/detail/CVE-2026-29045, https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3

Severity

7.5

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.5

EPSS Probability

0.0005%

EPSS Percentile

0.1591%

Introduced Version

Fix Available

19d20d23a2921e26c3bbfdb5549fce98b4a39b28,0,9.1.10-r7,0.8.3-r1,2.19.5-r3,2.19.5-r1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-29045

CVE-2026-29045

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

7.5

Basic Information

Fix Critical Vulnerabilities Instantly