CVE-2026-29087
@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
Description
## Summary When using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting `/admin/*`), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (`%2F`) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. ## Details The routing layer and the node-server static handler normalize request paths differently. The router preserves `%2F` as a literal string when matching routes, while the static handler decodes `%2F` into `/` before resolving the filesystem path. Example request: - `/admin%2Fsecret.html` This may: - fail to match middleware intended for `/admin/*`, but - still be resolved by the static handler as `/admin/secret.html` under the configured static root. This does not allow access outside the configured static root and is not a path traversal vulnerability. ## Impact An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes. Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.
How to fix CVE-2026-29087
To remediate CVE-2026-29087, upgrade the affected package to a fixed version below.
- —upgrade to 1.19.10 or later
Is CVE-2026-29087 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.19.10