Description
Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.
In the standard API, if the URL contains .., here called “double dots”, the URL string returned by Request will be in the resolved path.
However, the url in our Request does not resolve double dots, so http://localhost/static/.. /foo.txt is returned.
Recommendation
Update the @hono/node-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.0, < 1.4.1
- Patched version(s): 1.4.1
References
Related Issues
- @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed - CVE-2024-32652
- Path Traversal in http-server-node - CVE-2021-23797
- Vite XSS vulnerability in `server.transformIndexHtml` via URL payload - CVE-2023-49293
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
- Tags:
- npm
- @hono/node-server
Anything's wrong? Let us know Last updated on January 23, 2024