hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

Vulnerability

The vulnerability resides in the serve-static middleware on Windows hosts. When a request path contains an encoded backslash (%5C), the router splits the path only on /, so /admin%5Csecret.txt is treated as a single segment. The serve-static guard rejects . and .. but allows a lone \ through. On Windows, the file resolver interprets the backslash as a path separator, resolving the single segment into a nested file under the root. This allows an attacker to read static files that are intended to be protected behind prefix-mounted middleware. The issue affects all versions of serve-static on Windows when used with Node, Bun, or Deno adapters that guard a static subtree with prefix-mounted middleware. [1]

Exploitation

An unauthenticated attacker can exploit this by sending a crafted HTTP request with an encoded backslash in the path, such as /admin%5Csecret.txt. The router does not match the middleware mounted on /admin/* because the path is a single segment. The serve-static middleware then processes the request, and the Windows path resolver treats the backslash as a separator, serving the file admin/secret.txt from the static root. No authentication or special privileges are required. [1]

Impact

Successful exploitation allows an unauthenticated attacker to read static files that are located under a middleware-guarded prefix on Windows hosts. The read operation is confined to the configured static root; directory escape using .. is blocked. The confidentiality of protected static assets is compromised, but integrity and availability are not affected. [1]

Mitigation

As of the publication date (2026-06-16), no official fix has been released in the available references. Users are advised to avoid relying on prefix-mounted middleware for access control on Windows hosts, or to use a reverse proxy that normalizes encoded characters before the request reaches the application. [1]