Listen to this Post
Hono version prior to 4.12.4 suffers from an authorization bypass vulnerability due to inconsistent URL decoding between its router and `serveStatic` middleware. The router uses decodeURI, which does not decode encoded slashes (%2F), while `serveStatic` uses decodeURIComponent, which does decode them. This discrepancy allows an attacker to craft a path like /admin%2Fsecret.html. The router sees the literal string `/admin%2Fsecret.html` and does not match it against a middleware rule protecting /admin/, thus bypassing the authorization check. However, when the request reaches the `serveStatic` middleware, the path is decoded to /admin/secret.html, and the file is served from the filesystem. This results in unauthorized access to protected static resources without triggering the intended route-based middleware protections .
dailycve form:
Platform: Hono Framework
Version: Prior 4.12.4
Vulnerability: Auth Bypass
Severity: High
date: March 4, 2026
Prediction: Already patched (4.12.4)
What Undercode Say:
Vulnerable Code Pattern
The vulnerability exists when an application uses route-based middleware to protect a static subdirectory. For example:
import { serveStatic } from '@hono/node-server/serve-static'
const app = new Hono()
// Intended to protect the /admin route
app.use('/admin/', async (c, next) => {
// Authentication/Authorization logic here
console.log('Middleware running for:', c.req.path)
await next()
})
// Static file serving for the entire public directory
app.use('', serveStatic({ root: './public' }))
In this configuration, a request to `/admin%2Fsecret.html` will not trigger the middleware, but the file at `./public/admin/secret.html` will still be served.
Exploit
An attacker can access protected files by URL-encoding the slashes in the path. For instance, to access a file at /admin/panel/config.json, an attacker would request:
curl http://victim.com/admin%2Fpanel%2Fconfig.json
This request bypasses the `app.use(‘/admin/’, …)` middleware but is still resolved by `serveStatic` to the correct filesystem path.
Verification
To verify if your application is vulnerable, you can test an endpoint that should be protected:
Expected: 403 Forbidden or redirect curl -I http://victim.com/admin/secrets.txt Test for bypass: curl -I http://victim.com/admin%2Fsecrets.txt
If the first request is blocked but the second returns a `200 OK` or the file content, the application is vulnerable.
Protection
The vulnerability is fixed in Hono version 4.12.4 . The patch ensures consistent URL decoding across the routing and static serving layers. Upgrade immediately:
npm install [email protected]
Or, if using `@hono/node-server`:
npm install @hono/[email protected] Or the version including the patch
The specific commit fixing this issue is 6a0607a .
Impact
- Confidentiality: High. An unauthenticated attacker can read sensitive static files intended to be private, such as configuration files, internal documents, or user data.
- Integrity: None. The attacker cannot modify data.
- Availability: None. The service remains operational.
- Attack Vector: Network. The vulnerability is exploitable remotely.
- Complexity: Low. No special conditions or authentication are required .
- Scope: Applications using `serveStatic` with route-based middleware to protect subpaths are affected. This does not allow path traversal outside the static root but completely bypasses the intended authorization for protected subdirectories .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
D-Link DIR-513, Stack Buffer Overflow, CVE-2025-70226 (Critical)
