45 matches found
CVE-2026-29045
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections e.g. app.use'/admin/', ..., inconsistent URL decoding allowed protected static resources to be accessed without...
CVE-2026-29045 Hono: Arbitrary file access via serveStatic vulnerability
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections e.g. app.use'/admin/', ..., inconsistent URL decoding allowed protected static resources to be accessed without...
CVE-2026-29045 Hono: Arbitrary file access via serveStatic vulnerability
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections e.g. app.use'/admin/', ..., inconsistent URL decoding allowed protected static resources to be accessed without...
CVE-2026-29045 Hono: Arbitrary file access via serveStatic vulnerability
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections e.g. app.use'/admin/', ..., inconsistent URL decoding allowed protected static resources to be accessed without...
EUVD-2026-9506
Hono vulnerable to arbitrary file access via serveStatic vulnerability...
PT-2026-23075
Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.4 Description Hono is a Web application framework supporting various JavaScript runtimes. An inconsistency in URL decoding between the router decodeURI and serveStatic decodeURIComponent allowed protected static...
EUVD-2024-1083
Malicious code in bioql PyPI...
EUVD-2024-0418
Malicious code in bioql PyPI...
CVE-2024-23340
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...
CVE-2024-32869
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where main.ts is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for t...
Path Traversal
Hono is vulnerable to Path Traversal. The vulnerability is caused due due to a lack of proper path validation when using serveStatic with Deno. This allows an attacker to access unintended files through directory traversal, potentially leading to unauthorized data exposure or manipulation...
CVE-2024-32869
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where main.ts is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for t...
CVE-2024-32869 Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where main.ts is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for t...
CVE-2024-32869
Hono CVE-2024-32869 involves a path traversal bug in serveStatic when used with Deno, allowing traversal of the directory containing main.ts and potential exposure of unintended files. Affected product: Hono web framework; vulnerable component: serveStatic middleware (Deno runtime path handling)....
CVE-2024-32869 Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where main.ts is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for t...
Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Summary When using serveStatic with deno, it is possible to directory traverse where main.ts is located. My environment is configured as per this tutorial https://hono.dev/getting-started/deno PoC bash $ tree . ├── deno.json ├── deno.lock ├── main.ts ├── README.md └── static └── a.txt source jsx...
PT-2024-24924 · Hono +1 · Hono +1
Name of the Vulnerable Software and Affected Versions: Hono versions prior to 4.2.7 Description: The issue allows directory traversal when using serveStatic with deno, potentially resulting in the retrieval of unexpected files, including the contents of main.ts. This can occur because the...
@hono/node-server cannot handle "double dots" in URL
Impact Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path. ts const req = new...
GHSA-RJQ5-W47X-X359 @hono/node-server cannot handle "double dots" in URL
Impact Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path. ts const req = new...
CVE-2024-23340
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...