CVE-2026-29045
Hono vulnerable to arbitrary file access via serveStatic vulnerability
Description
## Summary When using `serveStatic` together with route-based middleware protections (e.g. `app.use('/admin/*', ...)`), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used `decodeURI`, while `serveStatic` used `decodeURIComponent`. This mismatch allowed paths containing encoded slashes (`%2F`) to bypass middleware protections while still resolving to the intended filesystem path. ## Details The routing layer preserved `%2F` as a literal string, while `serveStatic` decoded it into `/` before resolving the file path. Example: Request: `/admin%2Fsecret.html` - Router sees: `/admin%2Fsecret.html` → does not match `/admin/*` - Static handler resolves: `/admin/secret.html` As a result, static files under the configured static root could be served without triggering route-based protections. This only affects applications that both: - Protect subpaths using route-based middleware, and - Serve files from the same static root using `serveStatic`. This does **not** allow access outside the static root and is **not** a path traversal vulnerability. ## Impact An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes. Applications relying solely on route-based middleware to protect static subpaths may have exposed those resources.
How to fix CVE-2026-29045
To remediate CVE-2026-29045, upgrade the affected package to a fixed version below.
- —upgrade to 4.12.4 or later
Is CVE-2026-29045 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.12.4