CVE-2024-23340

The CVE concerns @hono/node-server (Node.js adapter) where its custom Request.url does not resolve ". ." (double dots), causing un-resolved paths like http://localhost/static/.. /foo.txt to be passed to serveStatic. This path-traversal can enable access to unintended files on the static server, u...

CVE-2024-32652

Summary: CVE-2024-32652 affects the Node.js adapter @hono/node-server. Before version 1.10.1, handling of invalid Host header values (e.g., empty strings or values not parseable as a hostname) could cause the application to hang via an Invalid URL error. The advisory states that 1.10.1 fixes the ...

CVE-2026-29087

The connected IBM bulletin confirms CVE-2026-29087 affects the Node.js module hono used by IBM App Connect Enterprise Certified Container. The vulnerability arises from inconsistent URL decoding when static file serving and route-middleware protections are used together, allowing access to protec...

CVE-2026-39406

The CVE concerns @hono/node-server where a path handling inconsistency in serveStatic allows bypassing route-based middleware via repeated slashes (//) in the request path. Before version 1.19.13, the router may not match paths containing repeated slashes (e.g., /admin/*) while serveStatic resolv...