CVE-2026-39408
EPSS 0.02%Hono: Path traversal in toSSG() allows writing files outside the output directory
Description
## Summary A path traversal issue in `toSSG()` allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via `ssgParams`, specially crafted values can cause generated file paths to escape the intended output directory. ## Details The static site generation process creates output files based on route paths derived from application routes and parameters. When `ssgParams` is used to provide values for dynamic routes, those values are used to construct output file paths. If these values contain traversal sequences (e.g. `..`), the resulting output path may resolve outside the configured output directory. As a result, files may be written to unintended locations instead of being confined within the specified output directory. For example: ```ts import { Hono } from 'hono' import { toSSG, ssgParams } from 'hono/ssg' const app = new Hono() app.get('/:id', ssgParams([{ id: '../pwned' }]), (c) => { return c.text('pwned') }) toSSG(app, fs, { dir: './static' }) ``` In this case, the generated output path may resolve outside `./static`, resulting in a file being written outside the intended output directory. ## Impact An attacker who can influence values passed to `ssgParams` during the build process may be able to write files outside the intended output directory. Depending on the build and deployment environment, this may: * overwrite unintended files * affect generated artifacts * impact deployment outputs or downstream tooling This issue is limited to build-time static site generation and does not affect request-time routing.
Affected packages (1)
- npm/hono>= 4.0.0, < 4.12.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |