CVE-2026-29045 – This vulnerability in Hono web framework allows... (How to Fix)

📋 TL;DR

This vulnerability in Hono web framework allows attackers to bypass route-based middleware protections (like authentication) for static files by using encoded slashes (%2F) in URLs. It affects applications using serveStatic with middleware on specific routes. Anyone running Hono versions before 4.12.4 with these configurations is vulnerable.

💻 Affected Systems

Products:

Hono web framework

Versions: All versions prior to 4.12.4

Operating Systems: All platforms running Node.js/JavaScript runtimes

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using serveStatic middleware with route-based protections (app.use('/admin/*', ...) patterns).

📦 What is this software?

Hono by Hono

View all CVEs affecting Hono →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive static files (admin interfaces, configuration files, user data) leading to data breach or privilege escalation.

🟠

Likely Case

Exposure of protected static resources that should require authentication, potentially leaking sensitive information.

🟢

If Mitigated

If proper file permissions and additional security layers exist, impact limited to unauthorized file access without execution.

🌐 Internet-Facing: HIGH - Web applications are typically internet-facing and this allows bypassing authentication controls.

🏢 Internal Only: MEDIUM - Internal applications still at risk but attack surface may be smaller.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of protected routes and uses simple URL encoding techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.12.4

Vendor Advisory: https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr

Restart Required: Yes

Instructions:

1. Update Hono package: npm update hono@4.12.4 or yarn upgrade hono@4.12.4
2. Restart your application server
3. Verify the update with npm list hono or yarn list hono

🔧 Temporary Workarounds

URL normalization middleware

all

Add custom middleware to normalize URL decoding before route processing

app.use('*', (c, next) => { const url = decodeURIComponent(c.req.path); c.req.path = url; return next(); })

🧯 If You Can't Patch

Implement additional authentication checks at the application level for all static file access
Move sensitive static files outside of serveStatic directories and serve through protected routes only

🔍 How to Verify

Check if Vulnerable:

Check if using Hono <4.12.4 with serveStatic and route-based middleware protections

Check Version:

npm list hono | grep hono or check package.json for version

Verify Fix Applied:

Test protected routes with %2F encoded slashes - they should now be blocked

📡 Detection & Monitoring

Log Indicators:

Requests to protected routes containing %2F or other encoded characters
Access to static files that should require authentication

Network Indicators:

HTTP requests with encoded slashes in paths to protected endpoints

SIEM Query:

web.access AND (url CONTAINS "%2F" OR url CONTAINS "%252F") AND (url STARTSWITH "/admin/" OR url STARTSWITH "/protected/")

📊 Metadata

CVE ID: CVE-2026-29045

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-177

Published: March 4, 2026

Last Updated: March 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-29045, you might also want to check these: