@hono/node-server: Middleware bypass via repeated slashes in serveStatic

Severity:: Medium

Description

A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.

When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths.

Recommendation

Update the @hono/node-server package to the latest compatible version. Followings are version details:

Affected version(s): < 1.19.13
Patched version(s): 1.19.13

References

GHSA-92pp-h63x-v22m
CVE-2026-39406
CWE-22
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - CVE-2026-29087
Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching - CVE-2026-46341
Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972
@hono/node-server cannot handle "double dots" in URL - CVE-2024-23340

Exploiting Server Version Disclosure

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Update Cheat Sheet for Developers

Tags:: npm; @hono/node-server

Anything's wrong? Let us know Last updated on April 08, 2026