VYPR

npm package

@hono/node-server

pkg:npm/%40hono/node-server

Vulnerabilities (4)

  • CVE-2026-39406MedApr 8, 2026
    affected < 1.19.13fixed 1.19.13

    @hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used f

  • CVE-2026-29087HigMar 6, 2026
    affected < 1.19.10fixed 1.19.10

    @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resourc

  • CVE-2024-32652Apr 19, 2024
    affected >= 1.3.0, < 1.10.1fixed 1.10.1

    The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname

  • CVE-2024-23340Jan 22, 2024
    affected >= 1.3.0, < 1.4.1fixed 1.4.1

    @hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string