Description
Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.
In the standard API, if the URL contains .., here called “double dots”, the URL string returned by Request will be in the resolved path.
However, the url in our Request does not resolve double dots, so http://localhost/static/.. /foo.txt is returned.
Recommendation
Update the @hono/node-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.0, < 1.4.1
- Patched version(s): 1.4.1
References
Related Issues
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 5 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 3 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 2 - CVE-2020-8203
- IPX Allows Path Traversal via Prefix Matching Bypass - CVE-2025-54387
- Tags:
- npm
- @hono/node-server
Anything's wrong? Let us know Last updated on January 23, 2024