CVE-2026-29087

{"id": "CVE-2026-29087", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-06T18:16:19.757", "references": [{"url": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10."}, {"lang": "es", "value": "@hono/node-server permite ejecutar la aplicaci\u00f3n Hono en Node.js. Antes de la versi\u00f3n 1.19.10, al usar el servicio de archivos est\u00e1ticos de @hono/node-server junto con protecciones de middleware basadas en rutas (por ejemplo, protegiendo /admin/*), una decodificaci\u00f3n de URL inconsistente puede permitir que los recursos est\u00e1ticos protegidos sean accedidos sin autorizaci\u00f3n. En particular, las rutas que contienen barras codificadas (%2F) pueden ser evaluadas de manera diferente por la coincidencia de enrutamiento/middleware frente a la resoluci\u00f3n de rutas de archivos est\u00e1ticos, lo que permite una omisi\u00f3n donde el middleware no se ejecuta pero el archivo est\u00e1tico a\u00fan es servido. Este problema ha sido parcheado en la versi\u00f3n 1.19.10."}], "lastModified": "2026-04-14T17:36:58.930", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8D3962AC-2C38-4050-BDD6-A695D5B1F50F", "versionEndExcluding": "1.19.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}