@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware

Description

When using @hono/node-server’s static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization.

Recommendation

Update the @hono/node-server package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.19.10
• Patched version(s): 1.19.10

References

• GHSA-wc8c-qw6v-h7f6
• CVE-2026-29087
• CWE-863
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• @hono/node-server: Middleware bypass via repeated slashes in serveStatic - CVE-2026-39406
• Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value - CVE-2026-34595
• Parse Server has a protected fields bypass via dot-notation in query and sort - CVE-2026-31872
• Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause - CVE-2026-32098

You might also like:

Exploiting Server Version Disclosure

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Update Cheat Sheet for Developers

Tags:

npm

@hono/node-server