@hono/node-server can't handle "double dots" in URL
Description
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path. However, the url in @hono/node-server's Request as does not resolve double dots, so http://localhost/static/.. /foo.txt is returned. This causes vulnerabilities when using serveStatic. Modern web browsers and a latest curl command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use serveStatic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@hono/node-servernpm | >= 1.3.0, < 1.4.1 | 1.4.1 |
Affected products
2- Range: >= 1.3.0, < 1.4.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-rjq5-w47x-x359ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23340ghsaADVISORY
- github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.tsghsax_refsource_MISCWEB
- github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402ghsax_refsource_MISCWEB
- github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.