CVE-2026-29045

{"id": "CVE-2026-29045", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-04T23:16:10.247", "references": [{"url": "https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-177"}]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4."}, {"lang": "es", "value": "Hono es un framework de aplicaci\u00f3n web que proporciona soporte para cualquier tiempo de ejecuci\u00f3n de JavaScript. Antes de la versi\u00f3n 4.12.4, cuando se usaba serveStatic junto con protecciones de middleware basadas en rutas (p. ej., app.use('/admin/*', ...)), una decodificaci\u00f3n inconsistente de URL permit\u00eda que se accediera a recursos est\u00e1ticos protegidos sin autorizaci\u00f3n. El router usaba decodeURI, mientras que serveStatic usaba decodeURIComponent. Esta discrepancia permit\u00eda que las rutas que conten\u00edan barras codificadas (%2F) eludieran las protecciones de middleware mientras segu\u00edan resolvi\u00e9ndose a la ruta de sistema de archivos prevista. Este problema ha sido parcheado en la versi\u00f3n 4.12.4."}], "lastModified": "2026-03-06T18:06:45.650", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8ADA9966-4575-41CC-8905-E1F4E4CB5CA6", "versionEndExcluding": "4.12.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}