CVE-2026-39408
Hono: Path traversal in toSSG() allows writing files outside the output directory
Description
## Summary A path traversal issue in `toSSG()` allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via `ssgParams`, specially crafted values can cause generated file paths to escape the intended output directory. ## Details The static site generation process creates output files based on route paths derived from application routes and parameters. When `ssgParams` is used to provide values for dynamic routes, those values are used to construct output file paths. If these values contain traversal sequences (e.g. `..`), the resulting output path may resolve outside the configured output directory. As a result, files may be written to unintended locations instead of being confined within the specified output directory. For example: ```ts import { Hono } from 'hono' import { toSSG, ssgParams } from 'hono/ssg' const app = new Hono() app.get('/:id', ssgParams([{ id: '../pwned' }]), (c) => { return c.text('pwned') }) toSSG(app, fs, { dir: './static' }) ``` In this case, the generated output path may resolve outside `./static`, resulting in a file being written outside the intended output directory. ## Impact An attacker who can influence values passed to `ssgParams` during the build process may be able to write files outside the intended output directory. Depending on the build and deployment environment, this may: * overwrite unintended files * affect generated artifacts * impact deployment outputs or downstream tooling This issue is limited to build-time static site generation and does not affect request-time routing.
How to fix CVE-2026-39408
To remediate CVE-2026-39408, upgrade the affected package to a fixed version below.
- —upgrade to 4.12.12 or later
Is CVE-2026-39408 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.0.0, < 4.12.12