{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39406", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T00:23:30.594Z", "datePublished": "2026-04-08T14:34:30.543Z", "dateUpdated": "2026-04-08T15:17:38.121Z"}, "containers": {"cna": {"title": "@hono/node-server has a middleware bypass via repeated slashes in serveStatic", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m"}], "affected": [{"vendor": "honojs", "product": "node-server", "versions": [{"version": "< 1.19.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:34:30.543Z"}, "descriptions": [{"lang": "en", "value": "@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13."}], "source": {"advisory": "GHSA-92pp-h63x-v22m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:17:32.143505Z", "id": "CVE-2026-39406", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:17:38.121Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39406", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:17:32.143505Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:17:34.377Z"}}], "cna": {"title": "@hono/node-server has a middleware bypass via repeated slashes in serveStatic", "source": {"advisory": "GHSA-92pp-h63x-v22m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "honojs", "product": "node-server", "versions": [{"status": "affected", "version": "< 1.19.13"}]}], "references": [{"url": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m", "name": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:34:30.543Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39406", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:17:38.121Z", "dateReserved": "2026-04-07T00:23:30.594Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T14:34:30.543Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13."}], "id": "CVE-2026-39406", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T15:16:14.513", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T16:22:07.143811+00:00", "value": {"mitigation_remediation": ["Verify that your @hono/node-server package is at or above version 1.19.13.", "If not, upgrade the package to 1.19.13 or a later release.", "After upgrading, test that serveStatic normalizes paths correctly and that protected routes enforce middleware.", "Optionally, monitor logs for unexpected repeated slash requests."], "summary": {"action": "Apply Patch", "impact": "Middleware bypass exposing protected files"}, "threat_synthesis": {"affected_systems": "Users running the honojs:node-server package, specifically versions of the @hono/node-server library earlier than 1.19.13, are affected. The bug exists in the serveStatic component that serves static files for Hono applications on Node.js.", "description_and_impact": "The vulnerability arises from an inconsistency in path handling within the serveStatic middleware of the @hono/node-server library. Prior to version 1.19.13, URLs that contain multiple consecutive slashes are normalized by serveStatic before reaching the routing layer, but the router\u2019s middleware matching does not account for these repeated slashes. As a result, requests for protected static assets that use double slashes can bypass route\u2011based authorization middleware, potentially exposing sensitive files or resources. This is a path\u2011handling flaw that can lead to an unauthorized disclosure of confidential data.", "risk_and_exploitability": "With a CVSS score of 5.3, the flaw is considered a medium\u2011severity issue. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by crafting HTTP requests that include repeated slashes in the path to static resources, thereby bypassing route\u2011based middleware guards that protect sensitive files. The exploitation requires only network access to the application and does not rely on any additional privileges or local execution."}}}}, "created": "2026-04-08T19:39:15.552694+00:00", "updated": "2026-04-08T19:39:15.552725+00:00", "vendors": []}