CVE-2026-29087

HIGH EPSS 24.4%
Published Mar 6, 20263mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Mar 6, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
24.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 1

VendorProductVersionRange
hononode-server* <1.19.10

References 2

  • github.com https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e
    Patch
  • github.com https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6
    Vendor Advisory

Remediation

  • github.com https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e
    Patch