Medium severity5.3NVD Advisory· Published Apr 8, 2026· Updated Apr 21, 2026
CVE-2026-39406
CVE-2026-39406
Description
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@hono/node-servernpm | < 1.19.13 | 1.19.13 |
Affected products
1Patches
1025c30f55d58Merge commit from fork
2 files changed · +4 −1
src/serve-static.ts+1 −1 modified@@ -111,7 +111,7 @@ export const serveStatic = <E extends Env = any>( } else { try { filename = tryDecodeURI(c.req.path) - if (/(?:^|[\/\\])\.\.(?:$|[\/\\])/.test(filename)) { + if (/(?:^|[\/\\])\.{1,2}(?:$|[\/\\])|[\/\\]{2,}/.test(filename)) { throw new Error() } } catch {
test/serve-static.test.ts+3 −0 modified@@ -381,6 +381,9 @@ describe('Serve Static Middleware', () => { expect(res2.status).toBe(404) expect(res2.headers['x-authorized']).toBeUndefined() expect(res2.text).not.toBe('secret') + + const res3 = await request(server).get('/static//admin/secret.txt') + expect(res3.status).toBe(404) }) })
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-92pp-h63x-v22mghsaADVISORY
- github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22mnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39406ghsaADVISORY
- github.com/honojs/node-server/commit/025c30f55d589ddbe6048b151d77e904f67a8cc2ghsaWEB
- github.com/honojs/node-server/releases/tag/v1.19.13ghsaWEB
News mentions
0No linked articles in our index yet.