@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
- Severity:
- High
Description
When using @hono/node-server’s static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization.
Recommendation
Update the @hono/node-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.19.10
- Patched version(s): 1.19.10
References
Related Issues
- Parse Server has a protected fields bypass via logical query operators - CVE-2026-30962
- Parse Server has a protected fields bypass via dot-notation in query and sort - CVE-2026-31872
- Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause - CVE-2026-32098
- Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
- Tags:
- npm
- @hono/node-server
Anything's wrong? Let us know Last updated on March 06, 2026