{"id":"GHSA-wc8c-qw6v-h7f6","summary":"@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware","details":"## Summary\n\nWhen using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting `/admin/*`), inconsistent URL decoding can allow protected static resources to be accessed without authorization.\n\nIn particular, paths containing encoded slashes (`%2F`) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served.\n\n## Details\n\nThe routing layer and the node-server static handler normalize request paths differently. The router preserves `%2F` as a literal string when matching routes, while the static handler decodes `%2F` into `/` before resolving the filesystem path.\n\nExample request:\n\n- `/admin%2Fsecret.html`\n\nThis may:\n- fail to match middleware intended for `/admin/*`, but\n- still be resolved by the static handler as `/admin/secret.html` under the configured static root.\n\nThis does not allow access outside the configured static root and is not a path traversal vulnerability.\n\n## Impact\n\nAn unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes.\n\nApplications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.","aliases":["CVE-2026-29087"],"modified":"2026-03-10T19:43:56.563021Z","published":"2026-03-04T20:05:49Z","related":["CGA-676w-93cv-mf32"],"database_specific":{"cwe_ids":["CWE-863"],"github_reviewed_at":"2026-03-04T20:05:49Z","github_reviewed":true,"severity":"HIGH","nvd_published_at":"2026-03-06T18:16:19Z"},"references":[{"type":"WEB","url":"https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29087"},{"type":"WEB","url":"https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e"},{"type":"PACKAGE","url":"https://github.com/honojs/node-server"}],"affected":[{"package":{"name":"@hono/node-server","ecosystem":"npm","purl":"pkg:npm/%40hono/node-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.19.10"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wc8c-qw6v-h7f6/GHSA-wc8c-qw6v-h7f6.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}