npm package
@hono/node-server
pkg:npm/%40hono/node-server
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39406 | Med | 5.3 | < 1.19.13 | 1.19.13 | Apr 8, 2026 | @hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used f | |
| CVE-2026-29087 | Hig | 7.5 | < 1.19.10 | 1.19.10 | Mar 6, 2026 | @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resourc | |
| CVE-2024-32652 | — | >= 1.3.0, < 1.10.1 | 1.10.1 | Apr 19, 2024 | The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname | ||
| CVE-2024-23340 | — | >= 1.3.0, < 1.4.1 | 1.4.1 | Jan 22, 2024 | @hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string |
- affected < 1.19.13fixed 1.19.13
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used f
- affected < 1.19.10fixed 1.19.10
@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resourc
- CVE-2024-32652Apr 19, 2024affected >= 1.3.0, < 1.10.1fixed 1.10.1
The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname
- CVE-2024-23340Jan 22, 2024affected >= 1.3.0, < 1.4.1fixed 1.4.1
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string