44 matches found
CVE-2024-23340 @hono/node-server can't handle "double dots" in URL
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...
CVE-2024-23340 @hono/node-server can't handle "double dots" in URL
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...
CVE-2024-23340 @hono/node-server can't handle "double dots" in URL
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...
CVE-2024-23340
The CVE concerns @hono/node-server (Node.js adapter) where its custom Request.url does not resolve ". ." (double dots), causing un-resolved paths like http://localhost/static/.. /foo.txt to be passed to serveStatic. This path-traversal can enable access to unintended files on the static server, u...