Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.
| Vendors | Products |
|---|
References
History
Mon, 22 Jun 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25. | |
| Title | Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`) | |
| Weaknesses | CWE-22 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-22T17:14:40.133Z
Reserved: 2026-06-12T17:46:37.292Z
Link: CVE-2026-54286
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-06-22T18:45:04Z