GHSA-q5qw-h33p-qvwr
Hono vulnerable to arbitrary file access via serveStatic vulnerability
Details
## Summary
When using `serveStatic` together with route-based middleware protections (e.g. `app.use('/admin/*', ...)`), inconsistent URL decoding allowed protected static resources to be accessed without authorization.
The router used `decodeURI`, while `serveStatic` used `decodeURIComponent`. This mismatch allowed paths containing encoded slashes (`%2F`) to bypass middleware protections while still resolving to the intended filesystem path.
## Details
The routing layer preserved `%2F` as a literal string, while `serveStatic` decoded it into `/` before resolving the file path.
Example:
Request: `/admin%2Fsecret.html`
- Router sees: `/admin%2Fsecret.html` → does not match `/admin/*` - Static handler resolves: `/admin/secret.html`
As a result, static files under the configured static root could be served without triggering route-based protections.
This only affects applications that both:
- Protect subpaths using route-based middleware, and - Serve files from the same static root using `serveStatic`.
This does **not** allow access outside the static root and is **not** a path traversal vulnerability.
## Impact
An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes.
Applications relying solely on route-based middleware to protect static subpaths may have exposed those resources.
Are you affected?
Enter the version of the package you're using.