High severityNVD Advisory· Published Mar 4, 2026· Updated Mar 5, 2026
Hono: Arbitrary file access via serveStatic vulnerability
CVE-2026-29045
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | < 4.12.4 | 4.12.4 |
Affected products
15- osv-coords14 versionspkg:apk/chainguard/honopkg:apk/chainguard/hono-adapter-mqttpkg:apk/chainguard/hono-clipkg:apk/chainguard/hono-compatpkg:apk/chainguard/hono-service-authpkg:apk/chainguard/hono-service-command-routerpkg:apk/chainguard/hono-service-device-registry-jdbcpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/wolfi/opensearch-dashboards-2pkg:npm/hono
< 0+ 13 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 0.8.3-r1
- (no CPE)range: < 2.19.5-r3
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r3
- (no CPE)range: < 4.12.4
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-q5qw-h33p-qvwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29045ghsaADVISORY
- github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3ghsax_refsource_MISCWEB
- github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.