Hono (Framework), Auth Bypass, CVE-2026-29045 (High)

Listen to this Post

Hono version prior to 4.12.4 suffers from an authorization bypass vulnerability due to inconsistent URL decoding between its router and `serveStatic` middleware. The router uses decodeURI, which does not decode encoded slashes (%2F), while `serveStatic` uses decodeURIComponent, which does decode them. This discrepancy allows an attacker to craft a path like /admin%2Fsecret.html. The router sees the literal string `/admin%2Fsecret.html` and does not match it against a middleware rule protecting /admin/, thus bypassing the authorization check. However, when the request reaches the `serveStatic` middleware, the path is decoded to /admin/secret.html, and the file is served from the filesystem. This results in unauthorized access to protected static resources without triggering the intended route-based middleware protections .

dailycve form:

Platform: Hono Framework
Version: Prior 4.12.4
Vulnerability: Auth Bypass
Severity: High
date: March 4, 2026

Prediction: Already patched (4.12.4)

What Undercode Say:

Vulnerable Code Pattern

The vulnerability exists when an application uses route-based middleware to protect a static subdirectory. For example:

import { serveStatic } from '@hono/node-server/serve-static'
const app = new Hono()
// Intended to protect the /admin route
app.use('/admin/', async (c, next) => {
// Authentication/Authorization logic here
console.log('Middleware running for:', c.req.path)
await next()
})
// Static file serving for the entire public directory
app.use('', serveStatic({ root: './public' }))

In this configuration, a request to `/admin%2Fsecret.html` will not trigger the middleware, but the file at `./public/admin/secret.html` will still be served.

Exploit

An attacker can access protected files by URL-encoding the slashes in the path. For instance, to access a file at /admin/panel/config.json, an attacker would request:

curl http://victim.com/admin%2Fpanel%2Fconfig.json

This request bypasses the `app.use(‘/admin/’, …)` middleware but is still resolved by `serveStatic` to the correct filesystem path.

Verification

To verify if your application is vulnerable, you can test an endpoint that should be protected:

Expected: 403 Forbidden or redirect
curl -I http://victim.com/admin/secrets.txt
Test for bypass:
curl -I http://victim.com/admin%2Fsecrets.txt

If the first request is blocked but the second returns a `200 OK` or the file content, the application is vulnerable.

Protection

The vulnerability is fixed in Hono version 4.12.4 . The patch ensures consistent URL decoding across the routing and static serving layers. Upgrade immediately:

npm install [email protected]

Or, if using `@hono/node-server`:

npm install @hono/[email protected] Or the version including the patch

The specific commit fixing this issue is 6a0607a .

Impact

  • Confidentiality: High. An unauthenticated attacker can read sensitive static files intended to be private, such as configuration files, internal documents, or user data.
  • Integrity: None. The attacker cannot modify data.
  • Availability: None. The service remains operational.
  • Attack Vector: Network. The vulnerability is exploitable remotely.
  • Complexity: Low. No special conditions or authentication are required .
  • Scope: Applications using `serveStatic` with route-based middleware to protect subpaths are affected. This does not allow path traversal outside the static root but completely bypasses the intended authorization for protected subdirectories .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

D-Link DIR-513, Stack Buffer Overflow, CVE-2025-70226 (Critical)

Scroll to Top