{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39407", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T00:23:30.594Z", "datePublished": "2026-04-08T14:41:20.301Z", "dateUpdated": "2026-04-08T16:04:59.862Z"}, "containers": {"cna": {"title": "Hono has a middleware bypass via repeated slashes in serveStatic", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c"}, {"name": "https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c"}, {"name": "https://github.com/honojs/hono/releases/tag/v4.12.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/hono/releases/tag/v4.12.12"}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"version": "< 4.12.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:41:20.301Z"}, "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12."}], "source": {"advisory": "GHSA-wmmm-f939-6g9c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T16:04:53.788586Z", "id": "CVE-2026-39407", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:04:59.862Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39407", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T16:04:53.788586Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:04:56.868Z"}}], "cna": {"title": "Hono has a middleware bypass via repeated slashes in serveStatic", "source": {"advisory": "GHSA-wmmm-f939-6g9c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"status": "affected", "version": "< 4.12.12"}]}], "references": [{"url": "https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c", "name": "https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c", "name": "https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/honojs/hono/releases/tag/v4.12.12", "name": "https://github.com/honojs/hono/releases/tag/v4.12.12", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:41:20.301Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39407", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:04:59.862Z", "dateReserved": "2026-04-07T00:23:30.594Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T14:41:20.301Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "295EEF12-243F-4561-B181-C19451B5285C", "versionEndIncluding": "4.12.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12."}], "id": "CVE-2026-39407", "lastModified": "2026-04-21T18:36:36.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T15:16:14.667", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/honojs/hono/releases/tag/v4.12.12"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.12.12)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "hono", "source": "cna", "vendor": "honojs"}, "product": "hono", "vendor": "hono"}], "analysis": {"en": {"generated_at": "2026-04-08T16:51:24.455235+00:00", "value": {"mitigation_remediation": ["Update to Hono 4.12.12 or later to eliminate the path normalization flaw."], "summary": {"action": "Patch", "impact": "Middleware Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the Hono web application framework from honojs. Versions prior to 4.12.12 are vulnerable when serveStatic is used to expose static resources behind authorization middleware such as /admin/*. The issue applies to any JavaScript runtime that runs a affected Hono release and serves protected static files.", "description_and_impact": "The flaw arises from Hono\u2019s serveStatic component normalizing double slashes in request paths, allowing a crafted URL with repeated slashes to bypass route\u2011based middleware that protects protected static files. This path handling inconsistency is a CWE\u201122 weakness, which can lead to unauthorized access to sensitive data.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. No EPSS score is reported and the flaw is not listed in the CISA KEV catalog. An attacker can remotely trigger the bypass by sending an HTTP request with repeated slashes to the target server; the framework normalizes the path while the router fails to match the middleware rule, resulting in unauthorized exposure of protected content."}}}}, "created": "2026-04-08T19:39:14.488129+00:00", "updated": "2026-04-09T08:18:49.166587+00:00", "vendors": ["hono", "hono$PRODUCT$hono"]}