9.8

CVE-2026-29045

EPSS 0.04%
Veröffentlicht 04.03.2026 22:09:22
Zuletzt bearbeitet 06.03.2026 18:06:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hono ≫ Hono SwPlatformnode.js Version < 4.12.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.132

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-177 Improper Handling of URL Encoding (Hex Encoding)

The product does not properly handle when all or part of an input has been URL encoded.

https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr

Vendor Advisory

https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-29045

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-29045

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-29045

EUVD