AIKIDO-2026-120510
@hono/node-server is vulnerable to Path Traversal
59
Medium Risk
This Affects:
@hono/node-serverTL;DR
The serveStatic middleware in @hono/node-server can serve protected static files on Windows when a request path contains a URL-encoded backslash. The Hono router treats a path like /admin%5Csecret.txt as a single segment, so prefix-mounted authorization middleware on /admin/* does not run. Before the fix, serveStatic allowed a decoded lone backslash through its path guard while Windows path resolution split it into a nested file under the static root. The fix extends path validation to reject backslash-based traversal patterns.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your application runs on Windows with serveStatic together with prefix-mounted middleware for access control.
Background info
@hono/node-server is vulnerable to Path Traversal in versions 0.2.0 - 2.0.4.
How to fix this
Upgrade the @hono/node-server library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant