CVE-2026-47676

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Assigner: GitHub_M
Reserved: 19.05.2026 Published: 28.05.2026 Updated: 28.05.2026

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	honojs
Product	hono
Versions	Version < 4.12.21 is affected

Vendor

honojs

Product

hono

Versions

Version < 4.12.21 is affected

References

Problem Types

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE
CWE-693: Protection Mechanism Failure CWE

CVE-2026-47676 PUBLISHED

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Metrics

Product Status

References

Problem Types