Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/28532?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/28532?format=api", "purl": "pkg:npm/%40hono/node-server@1.4.1", "type": "npm", "namespace": "@hono", "name": "node-server", "version": "1.4.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.19.13", "latest_non_vulnerable_version": "1.19.13", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73086?format=api", "vulnerability_id": "VCID-kpxd-8x1w-p3gw", "summary": "@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39406", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05556", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05548", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05536", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05562", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39406" }, { "reference_url": "https://github.com/honojs/node-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server" }, { "reference_url": "https://github.com/honojs/node-server/commit/025c30f55d589ddbe6048b151d77e904f67a8cc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server/commit/025c30f55d589ddbe6048b151d77e904f67a8cc2" }, { "reference_url": "https://github.com/honojs/node-server/releases/tag/v1.19.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server/releases/tag/v1.19.13" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39406", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39406" }, { "reference_url": "https://github.com/advisories/GHSA-92pp-h63x-v22m", "reference_id": "GHSA-92pp-h63x-v22m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-92pp-h63x-v22m" }, { "reference_url": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m", "reference_id": "GHSA-92pp-h63x-v22m", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:17:32Z/" } ], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374167?format=api", "purl": "pkg:npm/%40hono/node-server@1.19.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.19.13" } ], "aliases": [ "CVE-2026-39406", "GHSA-92pp-h63x-v22m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kpxd-8x1w-p3gw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73977?format=api", "vulnerability_id": "VCID-te24-9ce4-g7gx", "summary": "@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29087", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04783", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04807", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04803", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04793", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29087" }, { "reference_url": "https://github.com/honojs/node-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server" }, { "reference_url": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e", "reference_id": "455015be1697dd89974a68b70350ea7b2d126d2e", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-06T17:58:30Z/" } ], "url": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29087", "reference_id": "CVE-2026-29087", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29087" }, { "reference_url": "https://github.com/advisories/GHSA-wc8c-qw6v-h7f6", "reference_id": "GHSA-wc8c-qw6v-h7f6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wc8c-qw6v-h7f6" }, { "reference_url": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6", "reference_id": "GHSA-wc8c-qw6v-h7f6", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-06T17:58:30Z/" } ], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40181?format=api", "purl": "pkg:npm/%40hono/node-server@1.19.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-kpxd-8x1w-p3gw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.19.10" } ], "aliases": [ "CVE-2026-29087", "GHSA-wc8c-qw6v-h7f6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-te24-9ce4-g7gx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52791?format=api", "vulnerability_id": "VCID-w4x5-48p7-8fhc", "summary": "The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32652", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00523", "scoring_system": "epss", "scoring_elements": "0.67448", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00523", "scoring_system": "epss", "scoring_elements": "0.6746", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00523", "scoring_system": "epss", "scoring_elements": "0.67358", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00523", "scoring_system": "epss", "scoring_elements": "0.67462", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32652" }, { "reference_url": "https://github.com/honojs/node-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server" }, { "reference_url": "https://github.com/honojs/node-server/commit/306d98f02a8671a0a1fb91ac8fe7e281690c05af", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server/commit/306d98f02a8671a0a1fb91ac8fe7e281690c05af" }, { "reference_url": "https://github.com/honojs/node-server/issues/161", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server/issues/161" }, { "reference_url": "https://github.com/honojs/node-server/issues/159", "reference_id": "159", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-23T14:58:57Z/" } ], "url": "https://github.com/honojs/node-server/issues/159" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32652", "reference_id": "CVE-2024-32652", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32652" }, { "reference_url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204", "reference_id": "d847e60249fd8183ba0998bc379ba20505643204", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-23T14:58:57Z/" } ], "url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204" }, { "reference_url": "https://github.com/advisories/GHSA-hgxw-5xg3-69jx", "reference_id": "GHSA-hgxw-5xg3-69jx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hgxw-5xg3-69jx" }, { "reference_url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx", "reference_id": "GHSA-hgxw-5xg3-69jx", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-23T14:58:57Z/" } ], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30690?format=api", "purl": "pkg:npm/%40hono/node-server@1.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-kpxd-8x1w-p3gw" }, { "vulnerability": "VCID-te24-9ce4-g7gx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.10.1" } ], "aliases": [ "CVE-2024-32652", "GHSA-hgxw-5xg3-69jx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w4x5-48p7-8fhc" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/33318?format=api", "vulnerability_id": "VCID-ep46-stqg-f3g8", "summary": "@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23340", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00246", "scoring_system": "epss", "scoring_elements": "0.48324", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00246", "scoring_system": "epss", "scoring_elements": "0.48309", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00246", "scoring_system": "epss", "scoring_elements": "0.48307", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00246", "scoring_system": "epss", "scoring_elements": "0.48169", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23340" }, { "reference_url": "https://github.com/honojs/node-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23340", "reference_id": "CVE-2024-23340", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23340" }, { "reference_url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402", "reference_id": "dd9b9a9b23e3896403c90a740e7f1f0892feb402", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:31Z/" } ], "url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402" }, { "reference_url": "https://github.com/advisories/GHSA-rjq5-w47x-x359", "reference_id": "GHSA-rjq5-w47x-x359", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rjq5-w47x-x359" }, { "reference_url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359", "reference_id": "GHSA-rjq5-w47x-x359", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:31Z/" } ], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359" }, { "reference_url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45", "reference_id": "request.ts#L43-L45", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:31Z/" } ], "url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28532?format=api", "purl": "pkg:npm/%40hono/node-server@1.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-kpxd-8x1w-p3gw" }, { "vulnerability": "VCID-te24-9ce4-g7gx" }, { "vulnerability": "VCID-w4x5-48p7-8fhc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.4.1" } ], "aliases": [ "CVE-2024-23340", "GHSA-rjq5-w47x-x359" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ep46-stqg-f3g8" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.4.1" }