Listen to this Post
How GHSA-wwfh-h76j-fc44 Works
This vulnerability exists in the `serve-static` middleware of the Hono web framework when running on Windows operating systems. The core issue stems from inconsistent path parsing between the web router and the underlying Windows file system.
The Hono router splits URL paths using the forward slash (/) as the sole separator. When a request is made to a path like /admin%5Csecret.txt, the router decodes `%5C` to a backslash (\). However, because the router only splits on /, it treats the entire string `admin\secret.txt` as a single URL segment.
This becomes problematic when prefix-mounted middleware is used to protect a static subtree. For example, if middleware is mounted on /admin/, the router’s segment-based matching fails to trigger because it sees `admin\secret.txt` as one segment rather than `admin` and secret.txt. The request bypasses the intended access controls and is passed directly to the `serve-static` handler.
The `serve-static` middleware’s path guard attempts to block directory traversal by rejecting sequences like `.` , .., and consecutive separators. However, it permits a lone backslash (\) to pass through its validation. On Windows, the file system resolver treats backslashes as valid path separators. Consequently, when the file resolver processes admin\secret.txt, it correctly interprets it as a nested file within the `admin` subdirectory.
An attacker can exploit this by encoding a backslash as `%5C` in the URL path. The router sees a single segment and skips prefix-mounted middleware, while the Windows file system resolves the backslash as a separator and serves the protected file. The `serve-static` guard blocks traditional `..` traversal, so the read is confined to files within the configured root directory.
This vulnerability affects Windows hosts serving static files via Hono’s Node, Bun, or Deno adapters. It enables an unauthenticated attacker to read static files that were intended to be protected behind prefix-mounted middleware.
DailyCVE Form:
Platform: Windows
Version: Hono serve-static (Node, Bun, Deno adapters)
Vulnerability: Path traversal via encoded backslash (%5C)
Severity: Medium
date: June 16, 2026
Prediction: Patch available in Hono v4.12.25
What Undercode Say:
Check if the application is using Hono's serve-static middleware on Windows Identify the Hono version from package.json or bun.lockb cat package.json | grep -i hono Test for the vulnerability by requesting a known file with encoded backslash This attempts to read a file protected by prefix-mounted middleware curl --path-as-is "http://target.com/admin%5Csecret.txt" If the server responds with the contents of admin/secret.txt, it is vulnerable Compare with the normal path to confirm protection exists curl "http://target.com/admin/secret.txt"
Exploit:
An unauthenticated attacker can craft a URL with an encoded backslash (%5C) to bypass prefix-mounted middleware protections. For example, if a server has middleware protecting /admin/, a request to `/admin%5Csecret.txt` will bypass the middleware. The `serve-static` handler will then serve `admin\secret.txt` from the file system. The attack is limited to reading files within the configured static root, as directory escape sequences (..) are blocked.
Protection:
Update to Hono version v4.12.25 or later. This release fixes the path guard to reject lone backslashes. If immediate updating is not possible, avoid using `serve-static` middleware on Windows systems, or ensure that all static files are publicly accessible and do not require prefix-mounted middleware protection.
Impact:
An unauthenticated attacker can read static files that were intended to be protected behind prefix-mounted middleware. The read is confined to the configured static root; escape outside the root is not possible. This can lead to unauthorized access to sensitive static assets such as configuration files, source code, or other resources that were meant to be restricted.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
