{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29087", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T20:51:43.484Z", "datePublished": "2026-03-06T17:03:30.412Z", "dateUpdated": "2026-03-06T18:02:36.517Z"}, "containers": {"cna": {"title": "@hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6"}, {"name": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e"}], "affected": [{"vendor": "honojs", "product": "node-server", "versions": [{"version": "< 1.19.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T17:03:30.412Z"}, "descriptions": [{"lang": "en", "value": "@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10."}], "source": {"advisory": "GHSA-wc8c-qw6v-h7f6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T17:58:30.981713Z", "id": "CVE-2026-29087", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:02:36.517Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29087", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T17:58:30.981713Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:02:31.957Z"}}], "cna": {"title": "@hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware", "source": {"advisory": "GHSA-wc8c-qw6v-h7f6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "honojs", "product": "node-server", "versions": [{"status": "affected", "version": "< 1.19.10"}]}], "references": [{"url": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6", "name": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e", "name": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T17:03:30.412Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29087", "state": "PUBLISHED", "dateUpdated": "2026-03-06T18:02:36.517Z", "dateReserved": "2026-03-03T20:51:43.484Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T17:03:30.412Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8D3962AC-2C38-4050-BDD6-A695D5B1F50F", "versionEndExcluding": "1.19.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10."}, {"lang": "es", "value": "@hono/node-server permite ejecutar la aplicaci\u00f3n Hono en Node.js. Antes de la versi\u00f3n 1.19.10, al usar el servicio de archivos est\u00e1ticos de @hono/node-server junto con protecciones de middleware basadas en rutas (por ejemplo, protegiendo /admin/*), una decodificaci\u00f3n de URL inconsistente puede permitir que los recursos est\u00e1ticos protegidos sean accedidos sin autorizaci\u00f3n. En particular, las rutas que contienen barras codificadas (%2F) pueden ser evaluadas de manera diferente por la coincidencia de enrutamiento/middleware frente a la resoluci\u00f3n de rutas de archivos est\u00e1ticos, lo que permite una omisi\u00f3n donde el middleware no se ejecuta pero el archivo est\u00e1tico a\u00fan es servido. Este problema ha sido parcheado en la versi\u00f3n 1.19.10."}], "id": "CVE-2026-29087", "lastModified": "2026-04-14T17:36:58.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T18:16:19.757", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.19.10)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "node-server", "source": "cna", "vendor": "honojs"}, "product": "node-server", "vendor": "hono"}], "analysis": {"en": {"generated_at": "2026-04-16T11:18:28.151072+00:00", "value": {"mitigation_remediation": ["Upgrade @hono/node-server to version 1.19.10 or later to apply the patched URL decoding logic.", "Audit the static file routes to ensure that no sensitive content is unintentionally exposed after the upgrade.", "If an upgrade is not immediately possible, add a pre\u2011static middleware that rejects paths containing encoded slashes or enforce explicit path validation for protected directories."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to protected static files"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Honojs node-server package. All releases prior to 1.19.10 may serve protected static resources without authentication. The fix is available in version 1.19.10.", "description_and_impact": "@hono/node-server allows static file serving to be bypassed when a request URL contains encoded slashes (%2F). The routing and middleware matchers decode URLs inconsistently with the static file resolver, letting requests that should trigger protected middleware skip it and reach the file handler. This results in an authorization bypass, exposing any file placed under a protected path. The weakness is categorized as CWE-863, short\u2011circuit state control.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high impact, but the EPSS score is less than 1% and the vulnerability is not listed in the KEV catalog, suggesting that exploitation is unlikely in the wild. Nevertheless, an attacker who can send HTTP requests to the target can construct a path such as \"/admin%2Fsecret.txt\" to retrieve static content intended to be protected. No additional privileges or elevated access are required, making the attack straightforward for anyone with network connectivity to the server."}}}}, "created": "2026-03-09T10:07:17.224728+00:00", "updated": "2026-04-16T11:30:15.898881+00:00", "vendors": ["hono", "hono$PRODUCT$node-server"]}