Description
Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.
In the standard API, if the URL contains .., here called “double dots”, the URL string returned by Request will be in the resolved path.
However, the url in our Request does not resolve double dots, so http://localhost/static/.. /foo.txt is returned.
Recommendation
Update the @hono/node-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.0, < 1.4.1
- Patched version(s): 1.4.1
References
Related Issues
- @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed - CVE-2024-32652
- @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - CVE-2026-29087
- Server crashes on invalid Cloud Function or Cloud Job name - CVE-2024-29027
- RSSHub vulnerable to Server-Side Request Forgery - CVE-2024-27927
- Tags:
- npm
- @hono/node-server
Anything's wrong? Let us know Last updated on January 23, 2024