CVE-2026-29087
📋 TL;DR
This vulnerability allows attackers to bypass route-based middleware protections in @hono/node-server applications by using URL-encoded slashes (%2F) in paths. When static file serving is configured with protected routes (like /admin/*), the inconsistent URL decoding between routing middleware and static file resolution can allow unauthorized access to protected resources. This affects all applications using @hono/node-server versions before 1.19.10 with static file serving and route-based access controls.
💻 Affected Systems
- @hono/node-server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to sensitive static files (configuration files, credentials, admin interfaces, proprietary data) that should be protected by middleware authentication/authorization.
Likely Case
Unauthorized access to protected static resources like admin panels, configuration files, or sensitive documents that should require authentication.
If Mitigated
Even with proper controls, the vulnerability could still expose static files if the middleware protection relies solely on route matching without additional validation.
🎯 Exploit Status
Exploitation requires no authentication and involves simple URL manipulation with encoded slashes. The technique is well-known in web security (path traversal via encoded characters).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.19.10
Vendor Advisory: https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6
Restart Required: Yes
Instructions:
1. Update @hono/node-server dependency to version 1.19.10 or later. 2. Update package.json: "@hono/node-server": "^1.19.10". 3. Run npm update or yarn upgrade. 4. Restart the Node.js application.
🔧 Temporary Workarounds
Disable static file serving for protected routes
allRemove static file serving from routes that have middleware protections, or move protected static files outside of static serving directories.
Implement additional middleware validation
allAdd custom middleware that normalizes URLs (decodes %2F to /) before route matching to ensure consistent processing.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing encoded slashes (%2F) in protected paths.
- Move sensitive static files outside of publicly accessible directories and serve them through protected API endpoints instead.
🔍 How to Verify
Check if Vulnerable:
Check if your application uses @hono/node-server version <1.19.10 AND has static file serving configured with route-based middleware protections (e.g., protecting paths like /admin/*).Check Version:
npm list @hono/node-serverVerify Fix Applied:
After updating to 1.19.10+, test that accessing protected routes with encoded slashes (e.g., /admin%2Ffile.txt) no longer bypasses middleware and returns appropriate access denied responses.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing %2F in paths that should be protected
- Successful access to protected static files without authentication logs
- 404 errors for encoded slash requests after patching
Network Indicators:
- HTTP requests with encoded slashes targeting protected routes
- Unusual file access patterns bypassing normal authentication flows
SIEM Query:
http.url:*%2F* AND (http.status:200 OR http.status:304) AND NOT user.authenticated:true