Vulnerability Overview
| Field | Details |
|---|---|
| CVE ID | CVE-2026-29087 |
| Component | @hono/node-server |
| Vulnerability Type | Authorization Bypass |
| Severity | High |
| CVSS Score | 7.5 (CVSS v3.1) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Impact | Unauthorized access to restricted static resources |
| Exploitability | Easily exploitable through crafted HTTP requests |
| Exploit Availability | Public proof-of-concept techniques known |
| Affected Versions | Versions prior to 1.19.10 |
| Patched Version | 1.19.10 |
CVE-2026-29087 is an authorization bypass vulnerability discovered in the @hono/node-server adapter used with the Hono web framework. The issue occurs when applications rely on route-based middleware protections while serving files through the static file handler. Because URL decoding is handled inconsistently between the router and the static file middleware, specially crafted requests may bypass authentication checks and expose files that should normally require authorization.
The vulnerability primarily affects deployments where sensitive directories are protected only through routing middleware while being located inside the static file root directory.
Technical Description
The root of the vulnerability lies in the way encoded characters in URLs are interpreted by different layers of the application.
The routing layer processes incoming URLs differently from the static file handler. When an encoded slash (%2F) appears inside a request path, the router interprets it as a literal string rather than a path separator. However, the static file handler later decodes this value into a normal slash (/) before resolving the file path on disk.
Because middleware authorization rules rely on the router’s interpretation of the path, the encoded slash prevents the middleware from recognizing that the request is targeting a protected directory. When the request reaches the static file handler, the path is decoded and resolved normally, resulting in the protected file being returned.
This mismatch allows the security check to be bypassed even though the final file path points to a protected resource.
Root Cause
The vulnerability results from inconsistent URL normalization and decoding across request processing components.
The behavior can be summarized as follows:
| Component | Behavior |
|---|---|
| Router | Does not treat %2F as a directory separator |
| Static File Handler | Decodes %2F to / before resolving file path |
Because of this difference, middleware rules that rely on route matching fail to trigger.
The issue is therefore not a traditional directory traversal vulnerability. The static file handler still restricts file access within the configured root directory. However, access control protections implemented through routing middleware can be bypassed.
Affected Configurations
This vulnerability becomes exploitable when the following conditions are present:
- Applications use Hono framework with @hono/node-server
- Static files are served using serveStatic middleware
- Sensitive directories exist inside the static root directory
- Access to those directories is controlled only through route-based middleware
Example deployment scenario:
/public
├── index.html
├── images/
└── admin/
└── dashboard.html
Access control may be configured as:
app.use('/admin/*', authenticationMiddleware)
If the application relies solely on this rule, the vulnerability may allow unauthorized access.
Impact
Successful exploitation may lead to unauthorized exposure of sensitive static resources.
Possible consequences include:
- Exposure of administrative dashboards
- Leakage of configuration files
- Disclosure of API keys or credentials stored in static content
- Access to hidden development or debug pages
- Retrieval of backup files or internal documents
Although the vulnerability does not permit arbitrary file access outside the static root directory, it can still lead to significant information disclosure if sensitive data is placed within the static path.
Attack Scenario
A typical exploitation scenario would occur in the following way.
An attacker identifies that the application is serving static files from a public directory and that certain paths appear to require authentication.
The attacker then attempts to access those paths using encoded slashes within the URL.
Example normal request:
GET /admin/dashboard.html
This request triggers authentication middleware and access is denied.
The attacker instead sends a request containing an encoded slash.
GET /admin%2Fdashboard.html
The router evaluates the request and does not match it with the protected /admin/* route because %2F is treated as a literal character.
Later in the request processing flow, the static file handler decodes the encoded slash and resolves the request as:
/admin/dashboard.html
The protected file is then served without authentication.
Proof of Concept (Educational Use Only)
The vulnerability may be demonstrated using a simple HTTP request.
Example request:
GET /admin%2Fsecret.html HTTP/1.1
Host: vulnerable-application.com
Using curl:
curl https://vulnerable-application.com/admin%2Fsecret.html
If the application is vulnerable, the protected file may be returned in the response.
Additional test payloads may include:
/admin%2Fconfig.json
/admin%2Fdashboard.html
/private%2Fdata.txt
/secure%2Freport.pdf
These requests should only be used in controlled environments for security testing purposes.
Detection
Indicators of Suspicious Activity
The presence of encoded slashes inside request paths targeting sensitive directories should be considered suspicious.
Common indicators include:
%2For%2finside request URLs- Access attempts targeting protected directories
- Unusual spikes in requests containing encoded characters
- Requests targeting administrative endpoints without authentication tokens
Repeated scanning attempts from the same IP address may indicate active probing.
Log Sources
Monitoring should be enabled across multiple log sources to detect exploitation attempts.
Recommended log sources include:
- Web server access logs
- Reverse proxy logs
- API gateway logs
- Node.js application logs
- WAF logs
- CDN request logs
Important fields to monitor:
- Request URI
- HTTP method
- Response status code
- Source IP address
- User agent
- Referrer
- Request headers
Detection Queries
Splunk Query
index=web_logs
| search uri_path="*%2F*"
| table _time src_ip method uri_path status user_agent
Detection of encoded slash requests targeting admin directories:
index=web_logs
| search uri_path="*admin%2F*"
| stats count by src_ip uri_path user_agent
Elastic / Kibana Query
url.path:*%2F*
Focused detection:
url.path:*admin%2F*
Aggregation example:
url.path:*%2F* AND http.response.status_code:200
This may indicate successful unauthorized access.
Microsoft Sentinel (KQL)
CommonSecurityLog
| where RequestURL contains "%2F"
| project TimeGenerated, SourceIP, RequestURL, DeviceAction, RequestMethod
Targeting sensitive directories:
CommonSecurityLog
| where RequestURL contains "admin%2F"
| summarize count() by SourceIP, RequestURL
WAF Detection Logic
Web Application Firewalls may detect this activity using pattern matching on encoded characters.
Example detection pattern:
%2F
More specific detection rule:
REQUEST_URI contains "%2F" AND REQUEST_URI contains "admin"
Alerts should be generated when such requests are repeatedly observed.
MITRE ATT&CK Mapping
| Tactic | Technique | Description |
|---|---|---|
| Initial Access | T1190 – Exploit Public-Facing Application | Exploitation of web application logic flaw |
| Discovery | T1083 – File and Directory Discovery | Attempting to access protected directories |
| Collection | T1005 – Data from Local System | Retrieval of exposed static files |
Security Recommendations
Several defensive measures should be considered to prevent exploitation.
Upgrade the Package
The affected component should be updated to the patched version immediately.
Avoid Storing Sensitive Data in Static Directories
Sensitive resources should never be placed inside directories intended for public file serving.
Implement Consistent URL Normalization
URL decoding and normalization should be performed consistently before route matching occurs.
Apply Authorization Checks at Multiple Layers
Authentication should not rely solely on route middleware. Additional validation may be performed within application logic.
Deploy WAF Rules
Blocking encoded slash sequences may prevent exploitation attempts.
Patch and Upgrade
The vulnerability has been resolved by ensuring consistent URL decoding between the routing layer and the static file middleware.
Upgrading to the patched version eliminates the authorization bypass condition.
Official patch and upgrade information:
https://github.com/honojs/node-server/releases/tag/v1.19.10
