CVE-2026-39406 PUBLISHED

@hono/node-server has a middleware bypass via repeated slashes in serveStatic

Assigner: GitHub_M
Reserved: 07.04.2026 Published: 08.04.2026 Updated: 08.04.2026

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	honojs
Product	node-server
Versions	Version < 1.19.13 is affected

References

https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE