CVE-2026-29045
Published: 04 March 2026
Summary
CVE-2026-29045 is a high-severity Hex Encoding (CWE-177) vulnerability in Hono Hono. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-29045 affects Hono, a web application framework supporting any JavaScript runtime, in versions prior to 4.12.4. The vulnerability arises from inconsistent URL decoding when using the serveStatic middleware alongside route-based protections, such as app.use('/admin/*', ...). Specifically, Hono's router employs decodeURI, while serveStatic uses decodeURIComponent, creating a mismatch that permits paths with encoded slashes (%2F) to bypass middleware checks yet resolve to the intended filesystem location. This issue, classified under CWE-177 (Incorrect Handling of URL Encoding), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction. By crafting requests with %2F-encoded paths targeting protected static resources, attackers bypass route middleware authorizations, gaining unauthorized read access to sensitive files served via serveStatic without triggering protective logic.
The issue has been addressed in Hono version 4.12.4, as detailed in the project's security advisory (GHSA-q5qw-h33p-qvwr) and the patching commit (6a0607a929d888893f0c91d92dce2fcfdb3662a3). Security practitioners should upgrade to 4.12.4 or later and review applications using serveStatic with path-based middleware for exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9506
Vulnerability details
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization.…
more
The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Hono web framework enables remote exploitation via crafted encoded paths (T1190) to bypass middleware and directly read protected static files from the local filesystem (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely identification, reporting, and correction of flaws like the inconsistent URL decoding in Hono directly prevents exploitation of this vulnerability.
Validating information inputs such as URL paths with encoded characters (%2F) ensures consistent decoding and blocks bypass attempts on protected resources.
Enforcing approved authorizations for access to static resources prevents middleware bypasses due to decodeURI/decodeURIComponent mismatches.