{"url":"http://public2.vulnerablecode.io/api/packages/28532?format=json","purl":"pkg:npm/%40hono/node-server@1.4.1","type":"npm","namespace":"@hono","name":"node-server","version":"1.4.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.19.13","latest_non_vulnerable_version":"1.19.13","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/73086?format=json","vulnerability_id":"VCID-kpxd-8x1w-p3gw","summary":"@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39406","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05556","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05548","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05536","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05562","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39406"},{"reference_url":"https://github.com/honojs/node-server","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/node-server"},{"reference_url":"https://github.com/honojs/node-server/commit/025c30f55d589ddbe6048b151d77e904f67a8cc2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/node-server/commit/025c30f55d589ddbe6048b151d77e904f67a8cc2"},{"reference_url":"https://github.com/honojs/node-server/releases/tag/v1.19.13","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/node-server/releases/tag/v1.19.13"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39406","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39406"},{"reference_url":"https://github.com/advisories/GHSA-92pp-h63x-v22m","reference_id":"GHSA-92pp-h63x-v22m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-92pp-h63x-v22m"},{"reference_url":"https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m","reference_id":"GHSA-92pp-h63x-v22m","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:17:32Z/"}],"url":"https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374167?format=json","purl":"pkg:npm/%40hono/node-server@1.19.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.19.13"}],"aliases":["CVE-2026-39406","GHSA-92pp-h63x-v22m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kpxd-8x1w-p3gw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/73977?format=json","vulnerability_id":"VCID-te24-9ce4-g7gx","summary":"@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29087","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04783","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04807","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04803","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04793","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29087"},{"reference_url":"https://github.com/honojs/node-server","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/node-server"},{"reference_url":"https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e","reference_id":"455015be1697dd89974a68b70350ea7b2d126d2e","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-06T17:58:30Z/"}],"url":"https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29087","reference_id":"CVE-2026-29087","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29087"},{"reference_url":"https://github.com/advisories/GHSA-wc8c-qw6v-h7f6","reference_id":"GHSA-wc8c-qw6v-h7f6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wc8c-qw6v-h7f6"},{"reference_url":"https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6","reference_id":"GHSA-wc8c-qw6v-h7f6","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-06T17:58:30Z/"}],"url":"https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40181?format=json","purl":"pkg:npm/%40hono/node-server@1.19.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kpxd-8x1w-p3gw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.19.10"}],"aliases":["CVE-2026-29087","GHSA-wc8c-qw6v-h7f6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-te24-9ce4-g7gx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52791?format=json","vulnerability_id":"VCID-w4x5-48p7-8fhc","summary":"The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32652","reference_id":"","reference_type":"","scores":[{"value":"0.00523","scoring_system":"epss","scoring_elements":"0.67448","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00523","scoring_system":"epss","scoring_elements":"0.6746","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00523","scoring_system":"epss","scoring_elements":"0.67358","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00523","scoring_system":"epss","scoring_elements":"0.67462","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32652"},{"reference_url":"https://github.com/honojs/node-server","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/node-server"},{"reference_url":"https://github.com/honojs/node-server/commit/306d98f02a8671a0a1fb91ac8fe7e281690c05af","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/node-server/commit/306d98f02a8671a0a1fb91ac8fe7e281690c05af"},{"reference_url":"https://github.com/honojs/node-server/issues/161","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/node-server/issues/161"},{"reference_url":"https://github.com/honojs/node-server/issues/159","reference_id":"159","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-23T14:58:57Z/"}],"url":"https://github.com/honojs/node-server/issues/159"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32652","reference_id":"CVE-2024-32652","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32652"},{"reference_url":"https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204","reference_id":"d847e60249fd8183ba0998bc379ba20505643204","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-23T14:58:57Z/"}],"url":"https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"},{"reference_url":"https://github.com/advisories/GHSA-hgxw-5xg3-69jx","reference_id":"GHSA-hgxw-5xg3-69jx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hgxw-5xg3-69jx"},{"reference_url":"https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx","reference_id":"GHSA-hgxw-5xg3-69jx","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-23T14:58:57Z/"}],"url":"https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30690?format=json","purl":"pkg:npm/%40hono/node-server@1.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kpxd-8x1w-p3gw"},{"vulnerability":"VCID-te24-9ce4-g7gx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.10.1"}],"aliases":["CVE-2024-32652","GHSA-hgxw-5xg3-69jx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w4x5-48p7-8fhc"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33318?format=json","vulnerability_id":"VCID-ep46-stqg-f3g8","summary":"@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-23340","reference_id":"","reference_type":"","scores":[{"value":"0.00246","scoring_system":"epss","scoring_elements":"0.48324","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00246","scoring_system":"epss","scoring_elements":"0.48309","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00246","scoring_system":"epss","scoring_elements":"0.48307","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00246","scoring_system":"epss","scoring_elements":"0.48169","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-23340"},{"reference_url":"https://github.com/honojs/node-server","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/node-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23340","reference_id":"CVE-2024-23340","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23340"},{"reference_url":"https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402","reference_id":"dd9b9a9b23e3896403c90a740e7f1f0892feb402","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:31Z/"}],"url":"https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"},{"reference_url":"https://github.com/advisories/GHSA-rjq5-w47x-x359","reference_id":"GHSA-rjq5-w47x-x359","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rjq5-w47x-x359"},{"reference_url":"https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359","reference_id":"GHSA-rjq5-w47x-x359","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:31Z/"}],"url":"https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"},{"reference_url":"https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45","reference_id":"request.ts#L43-L45","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:34:31Z/"}],"url":"https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28532?format=json","purl":"pkg:npm/%40hono/node-server@1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kpxd-8x1w-p3gw"},{"vulnerability":"VCID-te24-9ce4-g7gx"},{"vulnerability":"VCID-w4x5-48p7-8fhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.4.1"}],"aliases":["CVE-2024-23340","GHSA-rjq5-w47x-x359"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ep46-stqg-f3g8"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.4.1"}