Hono: Middleware bypass via repeated slashes in serveStatic
RSS Feed
MODERATE
GHSA-wmmm-f939-6g9c
CVE-2026-39407
Description:
Summary
A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.
When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.
Details
The routing layer and serveStatic handle repeated slashes differently.
For example:
/admin/secret.txt => matches /admin/*
/admin//secret.txt => may not match /admin/*
However, serveStatic may interpret both paths as the same file location (e.g., admin/secret.txt) and return the file.
This inconsistency allows a request such as:
GET //admin/secret.txt
to bypass middleware registered on /admin/* and access protected files.
The issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution.
Impact
An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.
This can lead to unauthorized access to sensitive files under the static root.
This issue affects applications that rely on serveStatic together with route-based middleware for access control.
Affected Packages
| Ecosystem | Package | Vulnerable Versions | Patched Version |
|---|---|---|---|
| npm |
hono
|
< 4.12.12 |
4.12.12
|
deps(deps): bump the security-patches group across 4 directories with 2 updates
Open 14 days ago
VeVarunSharma/contoso-vibe-engineering #303
npm:drizzle-orm
npm:hono
chore(deps): bump the npm_and_yarn group across 11 directories with 24 updates
Open 15 days ago
GlacierEQ/langgraphjs #6
npm:axios
npm:vite
+20 more
deps(deps): bump the security-patches group across 4 directories with 2 updates
Closed 15 days ago
VeVarunSharma/contoso-vibe-engineering #296
npm:drizzle-orm
npm:hono
build(deps): Bump the npm_and_yarn group across 1 directory with 15 updates
Closed 15 days ago
you112ef/knet-mock-pay-06 #17
npm:react-router
npm:vite
+12 more
chore(deps): bump the npm_and_yarn group across 5 directories with 23 updates
Closed 15 days ago
nssuwan186-dev/ag-ui #35
npm:next
npm:uuid
+4 more
chore(deps): bump the npm_and_yarn group across 24 directories with 5 updates
Open 16 days ago
jadenblack/composio #101
npm:axios
npm:uuid
+2 more
Bump the npm_and_yarn group across 5 directories with 7 updates
Open 16 days ago
rshan1515/workers-sdk #19
npm:vite
npm:undici
+5 more
Bump the npm_and_yarn group across 4 directories with 9 updates
Closed 16 days ago
ANT0071/drizzle-orm #6
npm:rollup
npm:uuid
+4 more
build(deps): bump the npm_and_yarn group across 2 directories with 5 updates
Open 16 days ago
tsukasa-u/FUSOU #177
npm:astro
npm:vite
+3 more
chore(deps): bump the npm_and_yarn group across 9 directories with 8 updates
Closed 16 days ago
bluluvinn/x402 #16
npm:axios
npm:vite
+5 more
chore(deps): Bump the npm_and_yarn group across 4 directories with 5 updates
Closed 17 days ago
ds1/pincerpay #110
npm:next
npm:yaml
+3 more
Bump the npm_and_yarn group across 4 directories with 7 updates
Open 17 days ago
rshan1515/workers-sdk #18
npm:vite
npm:undici
+5 more
chore(deps): bump the npm_and_yarn group across 15 directories with 10 updates
Closed 18 days ago
ANT0071/mastra #97
npm:axios
npm:next
+6 more
chore(deps): bump the npm_and_yarn group across 15 directories with 9 updates
Closed 18 days ago
xendit/mastra #101
npm:axios
npm:next
+5 more
Bump the npm_and_yarn group across 19 directories with 5 updates
Open 19 days ago
cloudflare/ai #520
npm:axios
npm:postcss
+3 more
Bump the npm_and_yarn group across 1 directory with 5 updates
Closed 20 days ago
canstralian/workers-for-platforms-template #1
npm:undici
npm:esbuild
+2 more
build(deps): bump hono from 4.12.9 to 4.12.15 in /server
Open 20 days ago
OuroborosCollective/Wasd #380
npm:hono
Bump the npm_and_yarn group across 18 directories with 4 updates
Open 20 days ago
cloudflare/ai #514
npm:axios
npm:postcss
+2 more
build(deps): bump the minor-and-patch group across 1 directory with 7 updates
Closed 20 days ago
jfilter/timetiles #117
npm:vitest
npm:@types/node
+5 more
Bump hono from 4.6.0 to 4.12.15 in /backend
Closed 21 days ago
Teddynews/teddyfon-cleaner #26
npm:hono
deps: bump hono from 4.12.10 to 4.12.15
Open 21 days ago
tropicans/codmulti #12
npm:hono
chore(deps): bump the all-minor-and-patch group across 1 directory with 26 updates
Open 21 days ago
TiM1113/FoodDelivery-AWS-Vercell #133
npm:vitest
npm:@vitest/coverage-v8
+24 more
deps(deps): bump the security-patches group across 3 directories with 2 updates
Open 21 days ago
VeVarunSharma/contoso-vibe-engineering #279
npm:drizzle-orm
npm:hono
chore(deps): bump the minor-and-patch group across 1 directory with 25 updates
Closed 21 days ago
mustafaersoyer/konnekt-crm #17
npm:eslint
npm:react-dom
+23 more
chore(deps): bump the production group across 1 directory with 12 updates
Open 21 days ago
SuperstellarLLC/n3rd-ai-ui #22
npm:vitest
npm:@vitest/coverage-v8
+10 more
chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates
Open 21 days ago
fderuiter/wedding_website #250
npm:next
npm:lodash
+1 more
chore(deps): Bump hono from 4.11.4 to 4.12.14
Closed 21 days ago
paveg/tailf #46
npm:hono
chore(deps): bump the dependencies group across 1 directory with 6 updates
Closed 21 days ago
kempsterrrr/ar-io-node-project #104
npm:prettier
npm:turbo
+4 more
build(deps): bump the npm_and_yarn group across 9 directories with 9 updates
Closed 21 days ago
sc-shakyawijerathne/xmcloud-starter-js #77
npm:axios
npm:next
+4 more
chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates
Closed 21 days ago
tenkumogroup/guildkit #71
npm:next
npm:fast-xml-parser
+3 more
Bump hono from 4.12.3 to 4.12.15
Closed 21 days ago
yuzhenmi/taleweaver #142
npm:hono
chore(deps)(deps): bump hono from 4.11.2 to 4.12.15
Open 21 days ago
Phoenixrr2113/agent #120
npm:hono
chore(deps): Bump the npm-non-major group across 1 directory with 8 updates
Open 22 days ago
Jost17/frea #28
npm:tailwindcss
npm:@tailwindcss/cli
+6 more
Bump the npm_and_yarn group across 5 directories with 5 updates
Closed 22 days ago
blackboxprogramming/BlackRoad-OS-Live-Working-Version-Public #2
npm:next
npm:follow-redirects
+3 more
deps(api)(deps): bump hono from 4.11.9 to 4.12.15 in /cloudflare/forgescan-api in the hono group
Open 22 days ago
Bjay0727-jay/Forge-Scan #102
npm:hono
chore(deps): bump the production-dependencies group across 1 directory with 6 updates
Open 22 days ago
bidewio/better-openclaw #43
npm:react-dom
npm:next
+4 more
chore(deps): bump the all-minor-patch group across 1 directory with 23 updates
Open 22 days ago
WuMingDao/zenith-image-generator #94
npm:vitest
npm:react-router-dom
+21 more
chore(deps): Bump hono from 4.6.0 to 4.12.15
Open 22 days ago
amynaff/my-lunar-phase #36
npm:hono
deps: Bump the minor-and-patch group across 1 directory with 12 updates
Open 22 days ago
vinaes/md-succ-ai #13
npm:nanoid
npm:hono
+10 more
chore(deps): bump hono from 4.12.9 to 4.12.15
Open 22 days ago
forbiddenlink/specter #45
npm:hono
Bump the npm_and_yarn group across 1 directory with 5 updates
Open 22 days ago
MatiasPF1/SHPE-Stevens-Chapter #1
npm:next
npm:hono
+3 more
Bump hono from 4.12.9 to 4.12.15
Closed 22 days ago
TheDuffman85/linux-update-dashboard #138
npm:hono
build(deps): bump the npm_and_yarn group across 1 directory with 23 updates
Open 22 days ago
johnnycsv232/GettUppENTERPRISE #9
npm:vite
npm:next
+21 more
chore(deps): bump hono from 4.12.8 to 4.12.15 in /frontend
Closed 22 days ago
haporfirio/cyphron #4
npm:hono
chore(deps): bump hono from 4.12.10 to 4.12.15 in /dashboard
Open 22 days ago
Epigibson/Nexus #14
npm:hono
chore(deps): Bump hono from 4.12.10 to 4.12.15 in /apps/translator/server in the minor-and-patch group across 1 directory
Closed 23 days ago
masserfx/even-realities #19
npm:hono
Bump hono from 4.12.6 to 4.12.15
Open 23 days ago
tmaurie/clean-lap #31
npm:hono
chore(deps): Bump the npm_and_yarn group across 1 directory with 2 updates
Closed 23 days ago
yagudaev/voiceclaw #226
npm:@anthropic-ai/sdk
npm:hono
chore(deps): bump hono from 3.11.8 to 4.12.14 in the npm_and_yarn group across 1 directory
Closed 24 days ago
lmist/markmap #1
npm:hono
Bump the npm_and_yarn group across 1 directory with 12 updates
Open 24 days ago
Dargon789/template-ethereum-contracts #253
npm:axios
npm:yaml
+9 more
Actions
Advisory Details
| Published: | April 08, 2026 about 1 month ago |
| Updated: | May 11, 2026 8 days ago |
| CVSS Score: | 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| EPSS: | 0.02% 6th percentile |
| Source: | Github |
| Classification: | GENERAL |
| UUID: | GSA_kwCzR0hTQS13bW1tLWY5MzktNmc5Y84ABU3l |
PR Statistics
PR Status
Open
592 (44.3%)
Merged
0 (0.0%)
Closed
745 (55.7%)
Update Types
Major
157 (4.8%)
Minor
1290 (39.8%)
Patch
1777 (54.8%)
References
- https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c
- https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c
- https://github.com/honojs/hono/releases/tag/v4.12.12
- https://nvd.nist.gov/vuln/detail/CVE-2026-39407
- https://github.com/advisories/GHSA-wmmm-f939-6g9c