CVE-2026-29045

EUVD-2026-9506

04.03.2026, 23:16

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.

Hex Encoding

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
hono	hono	𝑥 < 4.12.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-177 - Improper Handling of URL Encoding (Hex Encoding)
The software does not properly handle when all or part of an input has been URL encoded.

References

https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3

https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr