Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/74434?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/74434?format=api", "purl": "pkg:npm/hono@4.12.4", "type": "npm", "namespace": "", "name": "hono", "version": "4.12.4", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "4.12.7", "latest_non_vulnerable_version": "4.12.7", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50666?format=api", "vulnerability_id": "VCID-5p8b-jvgn-mugv", "summary": "Hono vulnerable to arbitrary file access via serveStatic vulnerability\nWhen using `serveStatic` together with route-based middleware protections (e.g. `app.use('/admin/*', ...)`), inconsistent URL decoding allowed protected static resources to be accessed without authorization.\n\nThe router used `decodeURI`, while `serveStatic` used `decodeURIComponent`. This mismatch allowed paths containing encoded slashes (`%2F`) to bypass middleware protections while still resolving to the intended filesystem path.", "references": [ { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29045", "reference_id": "CVE-2026-29045", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29045" }, { "reference_url": "https://github.com/advisories/GHSA-q5qw-h33p-qvwr", "reference_id": "GHSA-q5qw-h33p-qvwr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q5qw-h33p-qvwr" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr", "reference_id": "GHSA-q5qw-h33p-qvwr", "reference_type": "", "scores": [], "url": "https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74434?format=api", "purl": "pkg:npm/hono@4.12.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.4" } ], "aliases": [ "CVE-2026-29045", "GHSA-q5qw-h33p-qvwr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5p8b-jvgn-mugv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50669?format=api", "vulnerability_id": "VCID-mqfv-j37k-2qbf", "summary": "Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()\nThe `setCookie()` utility did not validate semicolons (`;`), carriage returns (`\\r`), or newline characters (`\\n`) in the `domain` and `path` options when constructing the `Set-Cookie` header.\n\nBecause cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields.", "references": [ { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29086", "reference_id": "CVE-2026-29086", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29086" }, { "reference_url": "https://github.com/advisories/GHSA-5pq2-9x2x-5p6w", "reference_id": "GHSA-5pq2-9x2x-5p6w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5pq2-9x2x-5p6w" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w", "reference_id": "GHSA-5pq2-9x2x-5p6w", "reference_type": "", "scores": [], "url": "https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74434?format=api", "purl": "pkg:npm/hono@4.12.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.4" } ], "aliases": [ "CVE-2026-29086", "GHSA-5pq2-9x2x-5p6w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mqfv-j37k-2qbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50667?format=api", "vulnerability_id": "VCID-pkt4-r2xd-v3a5", "summary": "Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()\nWhen using `streamSSE()` in Streaming Helper, the `event`, `id`, and `retry` fields were not validated for carriage return (`\\r`) or newline (`\\n`) characters.\n\nBecause the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields.", "references": [ { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://github.com/honojs/hono/commit/f4123ed9ea3c7c52380cc99a079a4d773838846e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/honojs/hono/commit/f4123ed9ea3c7c52380cc99a079a4d773838846e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29085", "reference_id": "CVE-2026-29085", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29085" }, { "reference_url": "https://github.com/advisories/GHSA-p6xx-57qc-3wxr", "reference_id": "GHSA-p6xx-57qc-3wxr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-p6xx-57qc-3wxr" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr", "reference_id": "GHSA-p6xx-57qc-3wxr", "reference_type": "", "scores": [], "url": "https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74434?format=api", "purl": "pkg:npm/hono@4.12.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.4" } ], "aliases": [ "CVE-2026-29085", "GHSA-p6xx-57qc-3wxr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pkt4-r2xd-v3a5" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.4" }