Aikido Intel
Secure My Code
Intel

AIKIDO-2026-11189

hono is vulnerable to Path Traversal

Path TraversalGHSA-wwfh-h76j-fc44 Published 3 days ago

59

Medium Risk

This Affects:

JShono
0.0.1 - 4.12.24
Fixed in 4.12.25
Are you affected? Scan for Free

TL;DR

The serve-static middleware rejects dot-segment and double-separator paths but allowed a lone backslash in the decoded filename. On Windows the path resolver treats backslash as a separator, so a single URL segment containing an encoded backslash can resolve into a nested protected file. An unauthenticated attacker can read static files behind prefix-mounted guards without escaping the configured root. The guard now rejects any decoded path containing a backslash separator.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you serve static files on Windows hosts using serve-static with prefix-mounted middleware guards.

Background info

hono is vulnerable to Path Traversal in versions 0.0.1 - 4.12.24.

How to fix this

Upgrade the hono library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done