@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
Summary When using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes %2F may be...